General question about rootkits and paranoia

[lucasbuck]

I recently ran a bad installer and got a warning of bpfull and allurion. I run avast, which picked it up, and so did windows security. It said it contained the deleted them. I then ran DrWebCureIt, it was clean. TDSSKiller, nothing found. Avast boot scan check was clean.
Back in the day, anytime anything popped up about a rootkit (or even a really bad virus) on my system, I would just spend a day, wipe the drive, and reinstall everything. I recently upgraded to Win 7 64bit, and really hate to go through that trouble. But I'm really paranoid about my work emails, credit card info, etc.
Nowadays, is it really worth the trouble of doing a clean install, or if windows and avast are coming up clean, am I safe? Just looking for some opinions (and cure for my paranoia). Thanks!

[GrandPrixGXP]

Since you are on a 64 bit OS getting a rootkit infections is slim to none. Can it happen..........Yes but rarely. Instead of being so paranoid just create a system image onto an external HDD. Windows 7 does this for you.

[lucasbuck]

Thanks for the reply. I didn't know 64 made a difference with that. What's the difference in terms of a rootkit?

[essexboy]

You can still get rootkits with a 64 bit system, but they are rare.  Even more so now that MS has put a block on TDL bootkits, however, give it time and they will get around that.  But notwithstanding a 64 bit 7 system is very secure as long as you do not do anything silly 

[lareinatortura]

Hi guys,

I can sympathize with lucasbuck.  I am also running windows 7, and my avast reported that my system had "Win32: KillAV-AHY [Rtk]."  I presume that "[Rtk]" is rootkit?  After completing a scan, I was prompted to move the two infected files to the "chest," and then run a boot time scan.  I did.  After moving the infected files to the "chest," I ran a scan during boot up and no infection was found.

I'm still scared.  I'm afraid to look at any remotely sensitive information. 

I've been looking around the forums and I've come across a few threads with issues very similar to my own.  Some people think it is a false positive.  I want to know for sure that it is not anything malicious before I dismiss it as a false positive.

Any advice or help you guys could offer is greatly appreciated.

[NerdrageXZ]

File does not contain a virus when I scan it in the chest now, fixed in latest defenitions.

[gentle4ug]

I cured my paranoia with a good weekly system image and daily file back up plan.  This is accomplished using only Windows 7 tools.  When the disc is full, I just delete the old stuff and create a new backup.  When something nasty happens, just boot from your emergency recovery cd (made with windows tools), start the recovery, have a cold one and watch the game. Problem fixed.

[magna86]

MS has put a block on TDL bootkits, however, give it time and they will get around that.

they already beginning to get around that  

http://www.securelist.com/en/blog/473/An_unlikely_couple_64_bit_rootkit_and_rogue_AV_for_MacOS

http://www.securelist.com/en/blog/11266/Rootkit_Banker_now_also_to_64_bit

 

Its not TDL but it will be...in time 

[lareinatortura]

I cured my paranoia with a good weekly system image and daily file back up plan.  This is accomplished using only Windows 7 tools.  When the disc is full, I just delete the old stuff and create a new backup.  When something nasty happens, just boot from your emergency recovery cd (made with windows tools), start the recovery, have a cold one and watch the game. Problem fixed.

That sounds great.  I made a repair CD when I first got this machine; but, even when facing rootkits, you didn't have to re-format completely?

(I can't re-format windows 7--I don't have a copy--but I'm just asking).

[gentle4ug]

When you are restoring from a system image created before the infection happened, the infection should be gone from the affected hard drive.  I don't believe rootkits can survive the format and image install.  If I'm wrong, that would be a handy piece of information to have.

[Lisandro]

When you are restoring from a system image created before the infection happened, the infection should be gone from the affected hard drive.  I don't believe rootkits can survive the format and image install.  If I'm wrong, that would be a handy piece of information to have.

MBR rootkits can survive. For instance: http://www.f-secure.com/weblog/archives/00001393.html

[lareinatortura]

When you are restoring from a system image created before the infection happened, the infection should be gone from the affected hard drive.  I don't believe rootkits can survive the format and image install.  If I'm wrong, that would be a handy piece of information to have.

MBR rootkits can survive. For instance: http://www.f-secure.com/weblog/archives/00001393.html

So if you get an MBR rootkit, then you're screwed?

[Asyn]

So if you get an MBR rootkit, then you're screwed?

Seldom.
Usually there are ways to clean it.

[lareinatortura]

So if you get an MBR rootkit, then you're screwed?

Seldom.
Usually there are ways to clean it.

*Phew!*  Well, that's good to hear. But, ideally, I'd want to avoid getting it!  I guess that's my goal then. . Avoid MBR rootkit because "an ounce of prevention is worth a pound of cure," as a saying goes.   

[Asyn]

But, ideally, I'd want to avoid getting it!  I guess that's my goal then.

Use FF with NoScript.
This will block most intruders.