(aka AbuIbrahim12) |
A. Elshafei |
Detecting Rootkits in Windows 98/ME
Detecting rootkits in windows 98 and ME is very difficult. There are no tools existing today that can detect or remove active rootkits for windows 98 and ME. If you contracted a rootkit in windows 98 or ME then the only guaranteed solution is to format/reinstall. For those who avoid formats at all cost, I have created a procedure that can be used as a guideline for detection. However these guidelines should be used only for those who have a high level of expertise with computers.
Background: Basically, the procedure is to compare a list of files/folders in the root drive (c:) drive that are visible in windows with a list of files of root drive in dos. Any files that show up in the dos list that were not visible in windows could be potential rootkits. The reason for disabling any active processes in windows before generating the list is to minimize the number of temporary files to ease up comparison and false positives. Active processes use temp files that my appear in dos and not in windows.
First, do you have a windows 98 boot disk? If not please do the following:
Second, please shut-down all running applications including the browser you are reading this from.
Third, clean up the clutter in the computer using ccleaner:
Do not open or run anything once you are done with ccleaner.
Fourth, click start -> run -> type: command and press enter
Fifth, when the commands are done, please shutdown the computer with the floppy drive inside
Sixth, turn on the computer and make sure that your computer is booting from the floppy drive. Otherwise, you may have to enter the bios and set the boot sequence.
If booting from the floppy is successfully, at the first screen, select the second option that says something like: 'start the computer with out cd-rom support'
Once the command line appears, try to determine the drive letter of your hard-disk that was assigned by the boot disk. If the drive letter is not C and you are not sure which drive was assigned to the hard-disk, then please do the following through trial and error:
Seventh, once you are in the correct hard-drive letter, please type the following command and press enter: Once done, remove the boot disk and restart your computer normally into windows.
Eighth, now we need to compare the files files1.txt with files2.txt .
The best way to compare the files is to use an automatic diff program. Two good programs are:
Compare-It has an advantage is that it will color in red the exact difference within common line in the two files. This is an advantage because it will make it easy to recognize and skip the lines with file names that were shortened in DOS. You can also generate an htlml report of the results.
If you decide to use Compare-It, download, unzip and install the program.
Rootkits will likely be any files that show up in files2.txt that does not exist in files1.txt. If any of these lines are found, then double-check by actually trying to browse to these files while in windows and see if you are unable to locate them. Also make sure these files are not legitimate.
Ninth, if a rootkit file is suspected. You can rename the file while in dos. Boot the computer from the floppy disk as performed earlier. Perform the following command: Reboot into windows and make sure everything is running fine.
Microsoft MVP – Consumer Security
|
English: www.islaam.ca - Arabic: www.sahab.net |