Rootkit avoidance: formatting/reloading a good idea or silly overkill?

[riffin-rich]

Hello all. Yet another question. I'm a freak when it comes to
antivirus/antispyware ... I have XP Pro and generally try to do all of
my surfing from a simple "guest"-priveleges account that I've given
read access to all of my data drives, and write permissions to a
subset of folders on those data drives. I haven't been as careful on
another system that I use ... I do everything from an account with
administrator priveleges (I'm a bad boy ... I know). That said, do
you ever format your hard drive and start over periodically, just for
the heck of it? Just in case you get a rootkit on your system that
goes unnoticed by your antivirus/antispy-ware and seats itself in the
MBR? How do you detect the 'supposedly' undetectables? Thanks much!
Rich

 

[Detlev Dreyer]

Hello all. Yet another question. I'm a freak when it comes to
antivirus/antispyware ... I have XP Pro and generally try to do all of
my surfing from a simple "guest"-priveleges account that I've given
read access to all of my data drives, and write permissions to a
subset of folders on those data drives.

That's certainly a good idea. In case that this system gets infested by
malware, all you have to do is removing the affected restricted account
and that case is closed.

I haven't been as careful on another system that I use ... I do
everything from an account with administrator priveleges (I'm a bad boy
... I know). That said, do you ever format your hard drive and start
over periodically, just for the heck of it?

Nope. A system cannot really get infested when there is "Brain 1.0"
installed between keyboard and chair. Therefore, there is no need to
format a system just as a precaution unless it behaves pretty weird.

Just in case you get a rootkit on your system that goes unnoticed by
your antivirus/antispy-ware and seats itself in the MBR?

In the latter case, removing the partition/s and re-installing Windows
from scratch is the only safe solution since the entire system is
concerned rather than one restricted account only.

How do you detect the 'supposedly' undetectables?

When malware was installed with administrative privileges, it can easily
bypass any anti-virus during runtime and there are some tools required
in order to detect that malware, eg. running an integrated and updated
anti-virus after booting that system from a BartPE CD and/or analyzing
the network traffic using professional tools.

 

[Maincat]

Hello all. Yet another question. I'm a freak when it comes to
antivirus/antispyware ... I have XP Pro and generally try to do all of
my surfing from a simple "guest"-priveleges account that I've given
read access to all of my data drives, and write permissions to a
subset of folders on those data drives. I haven't been as careful on
another system that I use ... I do everything from an account with
administrator priveleges (I'm a bad boy ... I know). That said, do
you ever format your hard drive and start over periodically, just for
the heck of it? Just in case you get a rootkit on your system that
goes unnoticed by your antivirus/antispy-ware and seats itself in the
MBR? How do you detect the 'supposedly' undetectables? Thanks much!
Rich

I reformat and reinstall perhaps once a year. Clears the cobwebs away. As
for rootkits, you can scan for them using F-Secure http://www.f-secure.com/
I have F-Secure Internet Security 2007, which is so much better than my old
Norton Internet Security 2007(IMO).

 

[Newbie Coder]

Riffin Rich,

I format my machine as such periodically. In fact, I have a ghost image &
restore that image across my network then restore my latest e-mail backup...
20 mins tops for me thankfully

The only thing you can do with a rootkit is to format because it makes dodgy
files invisible & bypasses the kernal.

There are tools that detect rootkits, but they aren't your general
antivirus/antispyware solutions & there is a rootkit website dedicated to
rootkits (http://www.rootkit.com) where they openly discuss them before or
while they develop them. Be very careful on their site because there are
rootkits available for download.

Here is a tool that descovers rootkits:

http://www.microsoft.com/technet/sysinternals/utilities/rootkitrevealer.mspx

The developer, Mark has done a Technet video on rootkits & can be found on
the Technet website somewhere.

Lastly. I see you're an Earthlink user. Hope you're not one of those
SPAMMING users from Earthlink who I report for many people hundreds of times
a week to the realtime SPAM databases. You're in luck because no Earthlink
SPAM has been reported in the last 10 mins before I posted this message

 

[Ken Blake, MVP]

Hello all. Yet another question. I'm a freak when it comes to
antivirus/antispyware ... I have XP Pro and generally try to do all of
my surfing from a simple "guest"-priveleges account that I've given
read access to all of my data drives, and write permissions to a
subset of folders on those data drives. I haven't been as careful on
another system that I use ... I do everything from an account with
administrator priveleges (I'm a bad boy ... I know). That said, do
you ever format your hard drive and start over periodically, just for
the heck of it?

No! With a modicum of care, it should never be necessary to reinstall
Windows (XP or any other version). I've run Windows 3.0, 3.1, WFWG 3.11,
Windows 95, Windows 98, Windows 2000, Windows XP, and now Windows Vista,
each for the period of time before the next version came out, and each on
two or three machines here. I've never reinstalled any of them, and I have
never had anything more than an occasional minor problem.

 

[Newbie Coder]

Ken, you don't have to re-install OS' but sometimes its good to remove the
rubbish

Example:

I run Visual Studio 6 Enterprise, Visual Studio.NET 2003 Enterprise
Architect, VS.NET 2005 Professional, Platform SDK 2003 RC2... which have
over 600, 000 files

If you install/uninstall you don't get rid of everything... & slowly
clutters up your machine, registry...

I too have supported & run 31., 3.11 for workgroups, 95 (all versions), 98,
98 SE, ME, 2000 Pro, Server, Advanced Server, 2003 Enterprise Server, &
Vista Beta 1, Beta 2, RC1 & RC2

Here's an example:

If you have Windows 2000 & want Vista on your system. Microsoft tells you
that you are unable to upgrade & need to format & do a full install

Another example:

Windows 95 to 98 SE upgrade kept basically the 95 shell/functionality & the
USB's didn't always work. But with a full install of 98 SE they did.

Basically Ken, you aren't 100% correct with what you are saying & I doubt if
you knew that Windows 95 came on 30 floppies either originally

 

[Curt Christianson]

Hi Newbie,

I'm not doubting your credentials, but please do some research on Rootkits.
I realize that didn't sound very nice. Some are so insidious that even
though it *appears* you have removed it, in many cases you just can't trust
your machine again. I *can* substantiate* my claims.

--
HTH,
Curt

Windows Support Center
http://aumha.org/

 

[Newbie Coder]

Curt,

I think that Curt you really read my original post incorrectly because I
agree with you

If you have a rootkit then you cannot trust your machine because of the
bypassing of the Kernal. Therefore, people may think they are clean & the
malicios processes are still running

I have quite a good knowledge about rootkits, adware, malware, spyware,
viruses etc & have written my own Spyware scanner that can be downloaded
from GotDotNet. Been fighting SPAM/viruses for 10-11 years, are a beta
tester for Spybot/Microsoft & have been clearing Adware... off of peoples
machines daily for around 4-5 years from all over the world

If you read my original post in this thread you will see that I have
provided a few things like the link to the rootkit website... If I had a
machine that had a rootkit then I would backup my data... & ghost the
machine without question with a clean image that was done without network or
Internet connection yet contains the latest security update until the image
was created.

I absolutely love adware, malware, spyware, SPAM or viruses because it gives
me something to occupy my mind, but programming is the real stimulant )

Look forward to your replies in this newsgroup,

 

[Curt Christianson]

Hi Newbie,

See my reply to your other thread, and see if you still want to talk to me.
<g>

--
HTH,
Curt

Windows Support Center
http://aumha.org/

 

[Newbie Coder]

Curt,

It made me laugh actually

 

[Curt Christianson]

No disrespect intended.

--
HTH,
Curt

Windows Support Center
http://aumha.org/

 

[Newbie Coder]

Its 100% fine Curt

Right. I have done a 19-hour day & are off to bed - early night