Detecting rootkits in windows 98 and ME is very difficult. There are no tools existing today that can detect or remove active rootkits for windows 98 and ME. If you contracted a rootkit in windows 98 or ME then the only guaranteed solution is to format/reinstall. For those who avoid formats at all cost, I have created a procedure that can be used as a guideline for detection. However these guidelines should be used only for those who have a high level of expertise with computers.
Background: Basically, the procedure is to compare a list of files/folders in the root drive (c:) drive that are visible in windows with a list of files of root drive in dos. Any files that show up in the dos list that were not visible in windows could be potential rootkits. The reason for disabling any active processes in windows before generating the list is to minimize the number of temporary files to ease up comparison and false positives. Active processes use temp files that my appear in dos and not in windows.
First, do you have a windows 98 boot disk? If not please do the following:
1. get a clean floppy disk and place it in your floppy drive.
2. Click Start -> Point to Settings and click Control Panel -> Click Add/Remove Programs -> Click the Startup Disk tab -> Click the Create Disk button
-> When finished, click OK
3. do not remove the floppy disk, keep it in there.
Second, please shut-down all running applications including the browser you are reading this from.
Try to turn off or disable as many applications as you can.
Third, clean up the clutter in the computer using ccleaner:
http://wiki.battlespam.info/index.php?title=Malware_Removal:_Clean_out_the_Clutter
Do not open or run anything once you are done with ccleaner.
Fourth, click start -> run -> type: command and press enter
Please type the following commands each followed by an enter key:
cd \
dir /s /b /a-d > files1.txt
Fifth, when the commands are done, please shutdown the computer with the floppy drive inside
Sixth, turn on the computer and make sure that your computer is booting from the floppy drive. Otherwise, you may have to enter the bios and set the boot sequence.
If booting from the floppy is successfully, at the first screen, select the second option that says something like: 'start the computer with out cd-rom support'
Once the command line appears, try to determine the drive letter of your hard-disk that was assigned by the boot disk. If the drive letter is not C and you are not sure which drive was assigned to the hard-disk, then please do the following through trial and error:
step1: type the following command:
C:
press enter
step2: then type dir and enter. You should be able to see the windows folder along with other directories somewhere at the end of the list. If no directories appear, then repeat step1 with a different letter such as D: or E:
Seventh, once you are in the correct hard-drive letter, please type the following command and press enter:
dir /s /b /a-d > files2.txt
Once done, remove the boot disk and restart your computer normally into windows.
Eighth, now we need to compare the files files1.txt with files2.txt .
The best way to compare the files is to use an automatic diff program. Two good programs are:
- Compare-It: http://www.grigsoft.com/wc3setup.zip
- Examdiff: http://www.prestosoft.com/edp_examdiff.asp
Compare-It has an advantage is that it will color in red the exact difference within common line in the two files. This is an advantage because it will make it easy to recognize and skip the lines with file names that were shortened in DOS. You can also generate an htlml report of the results.
ExamDiff has the advantage that you can only display the line differences from the two files. Compare-It also has that feature, but isnt as effective since it will also display common lines between two files that were ordered differently.
If you decide to use Compare-It, download, unzip and install the program.
Start the program-> browse the text file you generated from dos and click open:
files2.txt
> browse the other text file you generated from windows and click open: files1.txt
Now In the left pane, the lines that are colored in green are the files that appeared in DOS but not in windows.
The lines that are colored in blue are files that exist in both files but with some changes such as shortening the file names. Within the blue lines you will notice the difference colored in red.
You can simply skim quickly through the blue lines.
The lines colored in red in the right pane, are files that appeared in windows but not in dos. You can ignore these files.
The lines colored in black are common lines between the two files and these should be ignored.
Rootkits will likely be any files that show up in files2.txt that does not exist in files1.txt. If any of these lines are found, then double-check by actually trying to browse to these files while in windows and see if you are unable to locate them. Also make sure these files are not legitimate.
Ninth, if a rootkit file is suspected. You can rename the file while in dos. Boot the computer from the floppy disk as performed earlier. Perform the following command:
ren path/filename.xxx path/emanelif.bak
Reboot into windows and make sure everything is running fine.
Posts
No comments:
Post a Comment