Any good forums to ask about root kits.

Questions about MultiCharts and user contributed studies.
bowlesj3
Posts: 2180
Joined: 21 Jul 2007
Has thanked: 227 times
Been thanked: 429 times

Any good forums to ask about root kits.

Postby bowlesj3 » 15 Oct 2011

This is not an MC question but being aware of the answer to this would certainly help MC users.

Is there a forum where one can ask questions about a root kit (or other high level computer problems). I have a root kit on one of my computers. I have disconnected it from the home network and will reformat. However I did a google search and I read that these can actually get into the bios (reformat will not help). The other thing is that same computer just had a reformat in the early spring and I do not really go out onto the web to unknown sites with it that often. I was thinking I would isolate it (from the internet only) after the format to see if it comes back and thus assume it came from the bios. So my question to an advanced forum would be (how to keep my computer on the home network but stop it from using the internet - in other words more than block it out with a firewall). Or maybe there is a way to know if it came from the bios.

I have this site. I have not checked to see if it has a forum.
http://www.theeldergeek.com

I have these web sites too.

This one can tell you which processes are bad on your machine.
www.processlibrary.com
This one can tell you which processes are bad on your machine.
www.softwarepatch.com/tips
Virus ideas
www.onecomputerguy.com


Thanks,
John

User avatar
JoshM
Posts: 2195
Joined: 20 May 2011
Location: The Netherlands
Has thanked: 1544 times
Been thanked: 1565 times
Contact:

Re: Any good forums to ask about root kits.

Postby JoshM » 15 Oct 2011

Perhaps you can also try Q&A sites like SuperUser and IT Security. I haven't used these, but I had good experiences with similar Q&A sites (stackoverflow.com).

Good luck with your problem,

Josh

bowlesj3
Posts: 2180
Joined: 21 Jul 2007
Has thanked: 227 times
Been thanked: 429 times

Re: Any good forums to ask about root kits.

Postby bowlesj3 » 15 Oct 2011

Thanks Josh,

Interestingly enough, the worst virus I ever had came from a notebook battery site. It locked out the, shutoff process, control pannel, ctrl+alt+delete would not work, AVG was disabled, etc. All because I wanted to research lithium ion battery optimizing.

You never know where they will be it seems. My machines running MC go to very few sites.

John

User avatar
geizer
Posts: 375
Joined: 16 Jun 2008
Has thanked: 40 times
Been thanked: 38 times

Re: Any good forums to ask about root kits.

Postby geizer » 15 Oct 2011

John,

However I did a google search and I read that these can actually get into the bios (reformat will not help).
The virus will not get into and infect your BIOS, unless the virus coder and the system programmer of your bios is the same person. In other words you would have to work for the manufacturer of the motherboard and have very specific knowledge of your particular motherboard in order to write the virus capable to embed itself into the BIOS. So the short answer is no. The chances are slim to none.
So my question to an advanced forum would be (how to keep my computer on the home network but stop it from using the internet - in other words more than block it out with a firewall). Or maybe there is a way to know if it came from the bios.
This can be achieved by EITHER of the following:

1. Deny ALL OUTBOUND traffic AND enable OUTBOUND LAN traffic if using a software Firewall. (I'm puzzled why you want to allow the LAN traffic? - the virus can easily infect other PCs on your local network...)

2. Block access to WAN access for an infected PC if you are using a hardware router (if router has this feature).

Regarding a root kit: http://support.kaspersky.com/viruses/so ... =208283366

bowlesj3
Posts: 2180
Joined: 21 Jul 2007
Has thanked: 227 times
Been thanked: 429 times

Re: Any good forums to ask about root kits.

Postby bowlesj3 » 16 Oct 2011

Hi geizer,

Thanks for the response.

Regarding,
I'm puzzled why you want to allow the LAN traffic? - the virus can easily infect other PCs on your local network...)
I started initially backing up across machines after a power supply wiped out a machine many years ago (toasted 7 components including 2 drives). I recovered from tape backup but I felt going across machines was faster. I still do this and I backup alternating too two outside machines (full and differential). One is a notebook and the other is a secondary machine that sometimes performs some sort of trading related function (it is old and can not run MC at all). I also take key files offsite often on the notebook (always transferring). I transfer through the other secondary machine so I have 3 copies.

Interestingly enough, I have been on the web ever since it came to be, and I have only ever had a virus go across the network once. For some reason most seem to be a bit lazy in this regard and are content to cause problems on only one machine at a time (maybe I am just lucky, LOL). Maybe now that I have written this I will have a major attack and loose all 3 (time to get a USB backup). I take snapshots and put them in the safety deposit box for something like that. Now you have me thinking.

AVG found the root kit originally. Only 1 of the 3 machines had it. I just ran that root kit utility in your link. The normal run found nothing. I extended it with the option and it found Unsigned File PxHelp20 "suspicious object, medium risk". I decided to delete it since the machine is not critical. So I rebooted the machine and reran the scan again and it did not find it. I ran AVG and it said there is still 1 root kit. I updated AVG and ran it again. Now avg says there are 3 of them. That makes me suspect AVG since I was not in any websites other than the AVG download nor did I run any other software in between (it was all done very fast with only at most a minute between). Maybe they downloaded 2 extra root kits for me, LOL). So I think it is time to format and see what happens (this machine is easy, I just backup my icons file and re-install software). With the main machine In prep for a future main machine reformat I still plan on using Acronis (on my to-do list still). However I need a machine upgrade so maybe later.
Deny ALL OUTBOUND traffic AND enable OUTBOUND LAN traffic if using a software Firewall.
Regarding the above, I am using Windows Firewall. I block absolutely everything except "AVG", "Dimension 4" and "File and Printer sharing". I am assuming this basically does what you are suggesting. I was not sure what to do with "Online Shield". I am not sure what this is and Google searches did not help.

bowlesj3
Posts: 2180
Joined: 21 Jul 2007
Has thanked: 227 times
Been thanked: 429 times

Re: Any good forums to ask about root kits.

Postby bowlesj3 » 16 Oct 2011

I suspect it is AVG that is wrong. I just reformatted and it still gives 3 root kits when running with no other installs and no access to web sites except the avg update.

Nick
Posts: 496
Joined: 04 Aug 2006
Has thanked: 4 times
Been thanked: 24 times

Re: Any good forums to ask about root kits.

Postby Nick » 17 Oct 2011

Malwarebytes is my go to malware checker at the moment. Whilst not specifically designed for rootkits it detects a good number. Boot in safe mode to minimise anything hoodwinking it.

If your mother board has flashable ROM and you suspect it has been hijacked (theoretically possible but hugely, hugely unlikely) simply re flash it from a clean environment (DOS boot and loader should do).

As for infection itself I am a great believer in turning off flash in your browser, it is not a very secure environment. I am sure it is improving all the time but better safe than sorry. It is quite feasible to use it to distribute malware through rogue websites or more likely hacked legitimate sites. There have been many reports of high profile sites being hacked and probably many more that have not wanted the publicity.

If you want to run some specific flash it's dead easy to enable on a case by case basis.

I am a bit out of the loop as to where the real cutting edge stuff is discussed, there used to be a usenet newsgroup that was right at the forefront, the name escapes me at the moment.

bowlesj3
Posts: 2180
Joined: 21 Jul 2007
Has thanked: 227 times
Been thanked: 429 times

Re: Any good forums to ask about root kits.

Postby bowlesj3 » 17 Oct 2011

Thanks Nick, I will have to research some of your info this weekend because some of it is a bit new to me.

This problem has got my curiosity bug. I did another format and immediate download and this time 2 root kits and 2 malware came with AVG. AVG also gets disabled and I can't even uninstall it so it is another format for the next test (gee, I sure am getting good at formatting with precision instructions, LOL). It occurred to me it may be the download site since the link I was using takes me to what appears to be AVG then the actual download is from Cnet(download.com). I never go to that site on this machine. I have to ask why the AVG site is directing me to download.com if they are virus experts. I have an older link for AVG and I have a feeling my clean copy came from that link and upgrades may have come from somewhere else (not download.com). If that older link gets a clean AVG that runs properly too then I will use it until it tells me to upgrade and click that button and see if that upgrade is clean (I will document the versions). Once I get the AVG curiosity bug out of my system I am going to try a different Anti-virus software (maybe I will try it as part of this investigation). A review site recommended it as the best (above MS) and it is free so why not.

I will post all the info since these types of things can be a bit distracting from trading to say the least. I am just glad it is on my secondary machine which I allocate to more risky web ventures outside my routine sites. I have a popup that bugs me every single day telling me not to go to any new sites with the production machine (only my routine sites). That popup started when I went to what I thought would be a safe site and I was wrong.

User avatar
furytrader
Posts: 354
Joined: 30 Jul 2010
Location: Chicago, IL
Has thanked: 155 times
Been thanked: 217 times

Re: Any good forums to ask about root kits.

Postby furytrader » 17 Oct 2011

A few months ago, I got infected with a rootkit virus even though I'm using Norton Internet Security. After several days of doing research and trying a host of different solutions, I bit the bullet and paid Norton $99 to do a manual search-and-remove. It took two different technicians to get the job done, but they were able to remove it completely from my computer. No reformatting required. It was definitely worth the $$$.

bowlesj3
Posts: 2180
Joined: 21 Jul 2007
Has thanked: 227 times
Been thanked: 429 times

Re: Any good forums to ask about root kits.

Postby bowlesj3 » 17 Oct 2011

Thanks furytrader,

That is interesting. I did not realize they would do that. I realize that to keep up on this stuff really does take a lot of knowledge and work including constant backing up in a very strategic way. However I guess I like to learn this stuff (bit by bit at least). I think it is worth it. Using Acronis for $50 can eliminate the need to format by bringing the whole drive back in short order (reduce the number of times you want to format). I should talk however. I still have not bought it. It is on my to-do list for use with the production machine where I may need a very fast recovery. The machine effected has nothing of value on it (it is turned off right now). It holds backups and I use it for visiting new web sites. The experience is good. Now I know how to control access to the machine using the windows fire wall (you can block other machines on the network or allow internal traffic and block the web). It is as easy as checking a box on or off. I can back up to that machine but not allow anything on that machine get to my production machine.

I hope to find out if a virus put a fake AVG upgrade link on my machine some time this week. If AVG is in actual fact using download.com I will stay away from AVG eventually. I have to try and find a specialized forum this weekend. Somewhere that people like the people who fixed your problem hang out. They probably already know what I am trying to figure out. If I find it I will post it here.

Nick
Posts: 496
Joined: 04 Aug 2006
Has thanked: 4 times
Been thanked: 24 times

Re: Any good forums to ask about root kits.

Postby Nick » 17 Oct 2011

Cnet / download.com are generally trusted sites. They host downloads for lots of companies.

Am I right in thinking you got an alert after a format and a clean install if windows? That sounds like it may be a false positive to me? What else did you re-install so far? Thinking on my feet I am trying to think if something could hide on the bootsector/MBR through that format process. I don't think so (but would not swear to it). Are you using the windows CD to format your hard drive? Very odd.

Nick
Posts: 496
Joined: 04 Aug 2006
Has thanked: 4 times
Been thanked: 24 times

Re: Any good forums to ask about root kits.

Postby Nick » 17 Oct 2011

P.S.

Obviously a back up and restore strategy is a useful weapon however I am always a bit wary to use it in the fight against malware. Fine to go back to a clean virgin image of your machine but I always worry that using a more recent restore might actually have the malware already backed up to it.

bowlesj3
Posts: 2180
Joined: 21 Jul 2007
Has thanked: 227 times
Been thanked: 429 times

Re: Any good forums to ask about root kits.

Postby bowlesj3 » 17 Oct 2011

Yes, it was a format directly from CD and I immediately installed AVG (nothing else on the machine and no other web sites accessed). So I run the scan and it finds the problems (changes every time too). The first time it went from 1 root kit to 3 root-kits. That alone is strange. If someone wants to put a root kit on why would they want to put 3 on (a bit of overkill I think). After the 2nd format it finds only 2. Okay if it was possible to put it on the Bios, why would it drop down too 2 the second time around.

Okay so before I run the scan I have to get in and make it a scheduled scan or else I do not get a root kit scan (there is another way but I did not know about it). So after the scan I can no longer go into the interface. I also can not even uninstall AVG.

Yes, a bit strange. This is supposedly the 2012 version. 2011 is fine. So I am going to try the old link for upgrades and maybe tonight and see what happens. I am not sure what it will grab and from where. I do not remember AVG ever being upgraded from download.com before. It is suppose to be cheaper or something?

About the Bios or MBR geizer agrees, "highly unlikely". In my mind you guys are correct just because it changed each time (from 1 to 3 to 2). Maybe AVG is just full of bugs now? Maybe the MS competition is too much for them?

User avatar
TJ
Posts: 7740
Joined: 29 Aug 2006
Location: Global Citizen
Has thanked: 1033 times
Been thanked: 2221 times

Re: Any good forums to ask about root kits.

Postby TJ » 17 Oct 2011

have you tried a new harddisk?

if your disk is over 3 years old, it doesn't hurt to do a preventive upgrade.

bowlesj3
Posts: 2180
Joined: 21 Jul 2007
Has thanked: 227 times
Been thanked: 429 times

Re: Any good forums to ask about root kits.

Postby bowlesj3 » 17 Oct 2011

I don't see a wink. Why would a hard disk help? All other programs ran fine before the format. Of course they are not running too well now since they are not installed yet. :-)

Maybe a disk surface scan. However I don't think that would help. I will try the old upgrade link and see what happens. I will try that new software too. geizer's recommended software found a suspect file and fixed it. I have been using AVG a long time. It has handled all viruses except maybe 2 (format always fixed things and AVG was fine after a format). AVG (if it is AVG) is suspect now. Spybot use to be good. Now it gives problems so I won't install it. Maybe AVG is about to bite the dust too. We will see.

bowlesj3
Posts: 2180
Joined: 21 Jul 2007
Has thanked: 227 times
Been thanked: 429 times

Re: Any good forums to ask about root kits.

Postby bowlesj3 » 17 Oct 2011

I completed tonight's work. I just reformatted again and went after these. The only program on the machine is Google Chrome.

Here is a good site for rating Free Anti-Virus software.
http://www.techsupportalert.com/best-fr ... ftware.htm

I decided to try the top Pick.
http://www.avast.com/en-au/free-antivirus-download
This also downloads from download.com just like AVG.

At that same site I found this for Best Free Root-Kits
http://www.techsupportalert.com/best-fr ... emover.htm

Their best pick was the same one geizer recommended.
http://support.kaspersky.com/downloads/ ... killer.zip

AVG did not get that great a rating so I am going to try the new one for a while. Besides having both on the machine creates a conflict. The new one does have scheduling.

So I ran geizer's software again (a top pick) and it found nothing wrong.
I am running the new Anti-virus. I suspect it will find nothing and there is a problem with the AVG 2012 version. the new anti-virus program also checks for root-kits.

bowlesj3
Posts: 2180
Joined: 21 Jul 2007
Has thanked: 227 times
Been thanked: 429 times

Re: Any good forums to ask about root kits.

Postby bowlesj3 » 18 Oct 2011

The whole compute scan with the top recommended Anti-Virus software at the link in the previous post ran fully clean on the newly formatted drive. So the AVG runs which found root kits and malware after the format were either AVG reporting incorrectly or the download itself. I can't prove it but I suspect it is the download itself because I suspect the original problem came from that site (I have downloaded a few things now and then from download.com). The other reason I suspect it was a download was because AVG was reporting the root kit for a while but did not give a popup to notify me for a long time (something was different obviously). So I guess you need to download from that site on a secure computer and run your scans immediately. At the same time the new software came from download.com with no problems so I am assuming most of those downloads will be okay.
Last edited by bowlesj3 on 18 Oct 2011, edited 1 time in total.

Nick
Posts: 496
Joined: 04 Aug 2006
Has thanked: 4 times
Been thanked: 24 times

Re: Any good forums to ask about root kits.

Postby Nick » 18 Oct 2011

It does rather sound like a false positive (even though that seems unlikely with no software installed). I guess you know that virus software looks for a 'signature'. Every now and then a legitimate piece of software will show a false positive. The virus scanner guys will usually fix this quite quickly by looking for a longer more unique signature.

I wonder if you have some strange driver that is showing a false positive? To be honest that seems unlikely but it would be one of the few things that would explain it. As an aside I have heard of a hardware manufacturer getting infected and distributing malware on a driver disc...once a long time ago...I'd give long odds it is not that :)

Certainly is a puzzle.

bowlesj3
Posts: 2180
Joined: 21 Jul 2007
Has thanked: 227 times
Been thanked: 429 times

Re: Any good forums to ask about root kits.

Postby bowlesj3 » 18 Oct 2011

Hi Nick,

The machine is an old IBM machine (bought used about 6 or 7 years ago - great for testing new sites, etc). So I guess my saying "AVG might be reporting incorrectly" is the same as "a false positive" (I have not heard that term before). Maybe. Should AVG be notified is the question?

I need to figure out why it took me a while to notice the root-kit in the report. In the past I seemed to always get a popup. Maybe the run parameter's need a change as a result of a new version or somewhere along the line I stopped setting the parameter's properly. If not I need a checklist item to actually look at the reports.

John

Nick
Posts: 496
Joined: 04 Aug 2006
Has thanked: 4 times
Been thanked: 24 times

Re: Any good forums to ask about root kits.

Postby Nick » 18 Oct 2011

Hi John, maybe there forum would be a good place to set out what has happened?

This is how Symantec define fals positive btw

A false positive, also known as a false detection or false alarm, occurs when an antivirus program detects a known virus string in an uninfected file. The file, while not infected with an actual virus, does contain a string of characters that matches a string from an actual virus.

bowlesj3
Posts: 2180
Joined: 21 Jul 2007
Has thanked: 227 times
Been thanked: 429 times

Re: Any good forums to ask about root kits.

Postby bowlesj3 » 18 Oct 2011

Hi Nick.

Thanks for the definition. It is interesting and good to know a bit about how these programs work. I was reading a bit about root-kits in the AVG help. I tend to go out to google for gathering information. Lots of ways to pick up info these days.

I just created a to-do for this weekend to create a list of anti-virus related forums. I had not even thought to look to see if AVG has a forum but that is a good idea. I did notice last night that the site above where I found the two reviews (anti-virus software and root-kit software) has a forum. That may be an excellent site to get to know since the person who actually did the comparison of the different software is likely to be on that forum and he is likely to be really up on this topic along with a lot of other people. When I create the list of forums I will check the post counts and maybe drop the list in this thread.

It is an interesting problem. The fact that AVG gets totally disabled such that I can not even uninstall it (requiring a format to correct the problem) suggests it could be AVG bugs or it could be a virus disabling AVG and thus a download.com problem. A mystery yet to be to solved at this point.

John.

marmun
Posts: 22
Joined: 20 Apr 2007
Been thanked: 10 times

Re: Any good forums to ask about root kits.

Postby marmun » 19 Oct 2011

Stan, Judging by the amount of times you've reformatted your drive in an attempt to resolve this problem, I presume you have a backup that you know to be 'clean' and root-kit/virus free from which to restore.

Removing root-kits can be a frustrating task but if you have a clean backup, then there is no need to hunt down and delete the root-kit - which can take ten times longer than a restore. The problem appears to be that your root kit(s) remain after reformatting.

When you reformat a hard drive it doesn't erase the data on the hard drive - only the address tables. Get a Data Dump program and completely wipe/zero-fill the drive first before formatting and restoring from your back-up.

If it's still there after the restore, then your back-up is corrupt too.
As mentioned by others, it won't be in your BIOS.

bowlesj3
Posts: 2180
Joined: 21 Jul 2007
Has thanked: 227 times
Been thanked: 429 times

Re: Any good forums to ask about root kits.

Postby bowlesj3 » 20 Oct 2011

Hi marmun,

Thanks for your response.

The current new anti-virus software and the special root-kit software run clean (no root kit or other problems reported). The other machines are clean according to the prior version of AVG (it is 2012 AVG that seems to likely have a few problems). The new software has a higher find rating than AVG according to the tests they did. Apparently AVG has slipped lately. Having said all that, this weekend I have to take a closer look at the new software and make sure it is doing a thorough search.

I am not sure how this fits in with your "Data Dump program" suggestion, but I remove the partition, create the partition then install XP which includes a format. I seem to remember years ago having a program that wrote all zeros (early PC days). I have not seen anything like it in a while. I guess a google search will find them. On the D drive (a completely different disk) there is the slow format and the quick format. Maybe I have been thinking wrong, but I have always assumed that the slow format which really is very slow was clearing the data where as the fast format does what you have suggested. Maybe you can clarify the difference.

I am getting use to the new program slowly. It has most of the AVG features but I have trouble finding them yet, LOL.

John

Spaceant
Posts: 254
Joined: 30 May 2009
Has thanked: 1 time
Been thanked: 3 times

Re: Any good forums to ask about root kits.

Postby Spaceant » 20 Oct 2011


bowlesj3
Posts: 2180
Joined: 21 Jul 2007
Has thanked: 227 times
Been thanked: 429 times

Re: Any good forums to ask about root kits.

Postby bowlesj3 » 20 Oct 2011

Thanks Spaceant, I will read through it over the weekend.
John.

marmun
Posts: 22
Joined: 20 Apr 2007
Been thanked: 10 times

Re: Any good forums to ask about root kits.

Postby marmun » 21 Oct 2011

The current new anti-virus software and the special root-kit software run clean (no root kit or other problems reported). The other machines are clean according to the prior version of AVG (it is 2012 AVG that seems to likely have a few problems). The new software has a higher find rating than AVG according to the tests they did. Apparently AVG has slipped lately. Having said all that, this weekend I have to take a closer look at the new software and make sure it is doing a thorough search.
Anti-vrus programs only provide limited protection. Once you've let the malware in, AV programs are almost useless as the malware authors 'code' round them. When that happens, you need to run anti-malware software like MalwareBytes, SuperAntiSpyware, SpyBot Search & Destroy etc. to get rid of the nasties. Root-kits add another dimension and there is specialist software to hunt those down. However, as I mentioned before, it is easier and quicker to restore from a backup - but it's best to 'wipe' (NOT just 'reformat') the drive first - especially when infected with a root-kit.
I am not sure how this fits in with your "Data Dump program" suggestion, but I remove the partition, create the partition then install XP which includes a format. I seem to remember years ago having a program that wrote all zeros (early PC days). I have not seen anything like it in a while. I guess a google search will find them.
Data Dump programs usually zero-fill the drive. So, for the purposes of this discussion 'Data Dump software' and 'Zero-fill software' are synonymous. Data Dump programs 'wipe' the data from drives rather than just delete it. Formatting does not 'wipe' or overwrite data from a drive. It only deletes the address tables. There are many such programs freely available. I see someone has already provided a link to Seagate's DiscWizard which does the job. Note: I don't know about that version of DiscWizard but previous versions of DiscWizard only zero-filled Seagate drives. If so, http://www.diskwipe.org/ is another freeware solution that works on any drive.
On the D drive (a completely different disk) there is the slow format and the quick format. Maybe I have been thinking wrong, but I have always assumed that the slow format which really is very slow was clearing the data where as the fast format does what you have suggested. Maybe you can clarify the difference.
The difference between Quick and Full formatting is that a Full Format checks the entire disk for disk errors, bad sectors etc. whereas a Quick format bypassess all error checking. However, even a Full Format does not 'wipe' the data on a drive.

bowlesj3
Posts: 2180
Joined: 21 Jul 2007
Has thanked: 227 times
Been thanked: 429 times

Re: Any good forums to ask about root kits.

Postby bowlesj3 » 21 Oct 2011

Thanks marmun,

You have been very helpful.
However, as I mentioned before, it is easier and quicker to restore from a backup - but it's best to 'wipe' (NOT just 'reformat') the drive first - especially when infected with a root-kit.
With this machine there actually is no data to restore. It is a test machine. So doing what you suggest is no problem.


So from what you are saying I have to do this:
1/ format again and install AVG from a fresh download for a fresh test to see if it says there is a root kit on this test machine.
2/ format once again but this time zero fill and again download AVG and test to see if it says there is a root kit on this test machine.

If AVG says no then says no, I can conclude they have fixed AVG.
If AVG says yes then says no, I can conclude that AVG is reporting correctly.
If AVG says yes then says yes, I can conclude that AVG is reporting incorrectly (or a root kit is coming down with the download).

Last but not to be forgotten, if AVG says no then says yes, well AVG is just off the wall :-)

marmun
Posts: 22
Joined: 20 Apr 2007
Been thanked: 10 times

Re: Any good forums to ask about root kits.

Postby marmun » 21 Oct 2011

So from what you are saying I have to do this:
1/ format again and install AVG from a fresh download for a fresh test to see if it says there is a root kit on this test machine.
2/ format once again but this time zero fill and again download AVG and test to see if it says there is a root kit on this test machine.
If you think you might still have a root-kit on your machine, then you only have to do option '2'.

As I mentioned before, Anti-virus software isn't all we'd like it to be. It flags many false-positives and also misses malware which has been coded to block detection by AV software. Root-kits in particular can be very stubborn. AV software is getting better but the malware authors are getting more devious in response. It's a constant battle.

Having said that..........

If you do your option '2' above, then there won't be any reason to do '1'. Also, '2' will not leave anything on the drive except zeros - So it isn't possible to still have a root-kit on the drive afterwards. The only way you could still have a root-kit is if you were restoring from a back-up that was also infected. As you won't be restoring, this potential problem won't apply in your case.
If AVG says no then says no, I can conclude they have fixed AVG.
Not necessarily. There is no AV software that catches everything and most miss a lot.
If AVG says yes then says no, I can conclude that AVG is reporting correctly.
Again, not necessarily. All AV software also suffer from reporting false-positives.
If AVG says yes then says yes, I can conclude that AVG is reporting incorrectly (or a root kit is coming down with the download).
If you're downloading AVG from their website, I'd say it is virtually impossible that it would be infected. If AVG still says yes after a zero-fill, then I'd dump AVG and start using AVAST :-).
Last but not to be forgotten, if AVG says no then says yes, well AVG is just off the wall :-)
Make life easy on yourself and just go with Option '2' :-). Option '1' serves no useful purpose.

bowlesj3
Posts: 2180
Joined: 21 Jul 2007
Has thanked: 227 times
Been thanked: 429 times

Re: Any good forums to ask about root kits.

Postby bowlesj3 » 22 Oct 2011

Well I was able to use diskwipe to zero fill the D drive. However when I put XP on the D drive and then try to zero fill the C drive (even though I had windows during the install remove the C partition, put it back on as raw and format the C drive successfully). What happens after having done this is every time I try and use DiskWipe to format the C drive it tells me the disk drive is in use. If I do a full format it gives the error at the very end.

I am wondering if at this point one should start using all external drives so they can be swapped very easily from C to D and back again. In other words swap them such that the operating system is always on the C drive and the zero fill is always the D drive. So once one drive is processed this way swap them and put the operating system on the other drive (again as C) and zero fill the other drive. It is far too much work to open the machine every time one has to do this.

Anyway, I am running AVG on the D drive only scanning everything to see if it is clean since at least I have a zero fill there to test AVG with.

!!!!!!!Great, AVG reported the same errors on the zero filled drive. So it seems the problem is with AVG. That would make a lot of sense considering that both of the other program runs (TDSSKiller and AVAST) reported no problems.
Last edited by bowlesj3 on 22 Oct 2011, edited 2 times in total.

marmun
Posts: 22
Joined: 20 Apr 2007
Been thanked: 10 times

Re: Any good forums to ask about root kits.

Postby marmun » 22 Oct 2011

Well I was able to use diskwipe to zero fill the D drive. However when I put XP on the D drive and then try to zero fill the C drive (even though I had windows during the install remove the C partition, put it back on as raw and format the C drive successfully). What happens after having done this is every time I try and use DiskWipe to format the C drive it tells me the disk drive is in use. If I do a full format it gives the error at the very end.

I am wondering if at this point one should start using all external drives so they can be swapped very easily from C to D and back again. In other words swap them such that the operating system is always on the C drive and the zero fill is always the D drive. So once one drive is processed this way swap them and put the operating system on the other drive (again as C) and zero fill the other drive. It is far too much work to open the machine every time one has to do this.
I'm not sure I understand what you've written above but if you're receiving 'disk drive is in use' message then it sounds like you're trying to zero-fill the drive from which your OS is currently running. From what you've written it's hard to tell whether you're using two separate disk drives or one drive which is partitioned into C: & D:

You might be better off creating a bootable CD with a zero-fill utility like http://www.terabyteunlimited.com/copywipe.php#download and boot into that instead of trying to do it through windows.

bowlesj3
Posts: 2180
Joined: 21 Jul 2007
Has thanked: 227 times
Been thanked: 429 times

Re: Any good forums to ask about root kits.

Postby bowlesj3 » 22 Oct 2011

Hi marmun,

Actually it is a separate physical C and D drive. The operating system is on D and was zero filled (see my update above the came in just a split second before your post).

I am happy with the results since the problem appears to be AVG version 2012. However I will check into your latest suggestion. For sure that is the way to go and I want to be able to do it quickly in the future so now is the time to learn it. The last time I created a boot disk was a dos diskette, LOL. I have gotten spoiled :-).

It has been a long day (over 12 hours doing this stuff and other work on the other machine along side). Time to call it a night.

Have a great weekend marmun.

John

bowlesj3
Posts: 2180
Joined: 21 Jul 2007
Has thanked: 227 times
Been thanked: 429 times

Re: Any good forums to ask about root kits.

Postby bowlesj3 » 23 Oct 2011

This utility worked. CopyWipe was able to run directly from the D drive where I had windows and zero fill the C drive even after I removed the partition (there was no need to create a boot CD). It said the operation completed normally. So I assume both have been zeroed now. I am resetting everything back to normal (C has windows and D is for backing up my other machine's data).

I never did create a boot CD for this process. I did put a prebuilder.iso file on a regular CD and tried booting from that. It did not seem to work. I guess those are the install files and I think I had more steps to do for the actual boot. I cut it short by trying what I describe in the 1st procedure and since it worked I stopped there. Maybe next weekend I will see if I can figure out how to complete the boot CD approach and if I can I will wipe the D drive for a test.

Thanks again marmun. At least I know for sure it is an AVG 2012 problem.

John.

bowlesj3
Posts: 2180
Joined: 21 Jul 2007
Has thanked: 227 times
Been thanked: 429 times

Re: Any good forums to ask about root kits.

Postby bowlesj3 » 06 Nov 2011

Getting directly back to the original topic of this thread, at one point I said that I would create a list of anti-virus related forums. Here is my followup.

Gizmo's is a tech support site. This site has the Anti-Virus review. They have a Freeware Forum.
http://www.techsupportalert.com/freeware-forum/

The Kaspersky Lab (for root kits) has a forum
http://forum.kaspersky.com/

The AVG anti-virus software site has a forum
http://forums.avg.com/ca-en/avg-forums

The Avast anti-virus software site has a forum
http://forum.avast.com/

The IT security side has a FAQ setup.
http://security.stackexchange.com/questions

http://superuser.com/ has a questions and answers section.

Last but not least, A google search "anti virus software forums" pulled up some interesting forums. Here are some.
Wilder's Security forums
http://www.wilderssecurity.com/forumdisplay.php?f=32

http://forums.devshed.com/antivirus-protection-117/


Return to “MultiCharts”