But what if it spreads to other systems? The cost of reinstalling one system won’t look so bad at that point, but it will be to late, and the cost of reinstalling a single system has to be less than the cost of extensive analysis to arrive at the conclusion that it’s ‘clean.’
mm
> Well, Not for this case,
For absolutely any case (if the AV has the databases fresh enough).
No need in rootkit revealers in any kind, absolutely any kind. Just boot from a clean CD/DVD/another hard drive and run the usual AV with fresh databases.
that AV scanners scans for files and not for disk sectors and I found that the said rootkit just put its
data at some sectors
Not important. It will still need to patch some usual location (boot sector or a file) for this hidden file to gain control.
Another must have thing to clean that using this method is signatures for that rootkit file, which may not
have any information pertaining to the said malware
If the AV software is obsolete, then the game is lost 
so is the obsolete rootkit revealer
And than if certain tool is saving a customer from a format on the price of a hard reboot
Sooner or later, the customer’s machine will experience random crashes and hungs with such software, and format (at least Windows reinstall) is the fastest and most cost-effective way of curing this.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
> > Well, Not for this case,
For absolutely any case (if the AV has the databases fresh enough).
Always assume that your AV database is not fresh enough.
No need in rootkit revealers in any kind, absolutely any kind. Just
boot from
a clean CD/DVD/another hard drive and run the usual AV with fresh
databases.
If your AV database knows about version n, then the rootkit only has to
be version n+1 and you will either find nothing, or will fail to clean a
hook or two and the virus will be right back on the next boot.
> that AV scanners scans for files and not for disk sectors and I
found that
> the said rootkit just put its
> data at some sectorsNot important. It will still need to patch some usual location (boot
sector or
a file) for this hidden file to gain control.
They are finding more and more places to patch unfortunately.
> Another must have thing to clean that using this method is
signatures for
> that rootkit file, which may not
> have any information pertaining to the said malwareIf the AV software is obsolete, then the game is lost
obsolete
rootkit revealer
Always assume your AV software is obsolete. I’m getting to the point
where I think the only good AV software is software that either
completely disconnects the computer from the network (some do, but I’m
sure a virus that was motivated enough could disable that) on detected
infection (‘something is not right’ detection), or wipes the bootsector
and turns it off hard, like the OP wants to do, forcing a reinstall (or
a bootfix)
> And than if certain tool is saving a customer from a format on the
price of a
> hard rebootSooner or later, the customer’s machine will experience random crashes
and
hungs with such software, and format (at least Windows reinstall) is
the
fastest and most cost-effective way of curing this.
And if the computer is on a network, probably all the other machines on
the network too (port 445 exploits anyone?)
James (feeling paranoid this morning
>They are finding more and more places to patch unfortunately.
Proper AV should just check the boot sector and then check the MS’s digital signatures on all Windows files.
The most “killer” way of doing things. Then the usual registry cleanup and so on.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
Hi All,
I am very thankful of all of you for providing different solutions.
Thanks & Regards,
Rajendra.