Windows XP Virus
in [Windows XP]
|
Prev: repair windows xp from a secondary instance of windows?
Next: Prevent users from saving music and pictures to their hard drives without folder redirection?
From: Ronin on 11 Mar 2010 10:31 Darn! Oh well, better luck next time. -- Ronin "C" <c(a)nospamers.com.invalid> wrote in message news:hnao5f$c9d$1(a)speranza.aioe.org... > Ronin wrote: >> You have diagnosed an infection that absolutely, positively came from a >> SR restore point? You're absolutely certain that it didn't come from >> elsewhere? Do you mind sharing the information necessary to repeat the >> issue? I am perfectly able and eager to do so, and I have all the >> necessary equipment (i.e., a spare machine that I use for experimentation >> and a fair amount of experience analyzing system behavior.) Perhaps you >> can at least identify the virus? The more specific the better. >> >> Seriously, I can't imagine any way for something to execute itself from >> inside a SR restore point, but if it can be done I want to know all about >> it. >> > > It was a long time ago and my recollection is that I zapped a virus with > Avast and it kept coming back until I nuked all the restore points. I'm > sorry I can't be more specific. Had I known you would have asked, I would > have taken notes ;-) > > -- > C
From: Ken Blake, MVP on 11 Mar 2010 12:55 On Thu, 11 Mar 2010 13:37:04 +0100, C <c(a)nospamers.com.invalid> wrote: > Ronin wrote: > > You have diagnosed an infection that absolutely, positively came from a > > SR restore point? You're absolutely certain that it didn't come from > > elsewhere? Do you mind sharing the information necessary to repeat the > > issue? I am perfectly able and eager to do so, and I have all the > > necessary equipment (i.e., a spare machine that I use for > > experimentation and a fair amount of experience analyzing system > > behavior.) Perhaps you can at least identify the virus? The more > > specific the better. > > > > Seriously, I can't imagine any way for something to execute itself from > > inside a SR restore point, but if it can be done I want to know all > > about it. > > > > It was a long time ago and my recollection is that I zapped a virus with > Avast and it kept coming back until I nuked all the restore points. It undoubtedly came back in the sense that Avast continued to report its presence. However it never really went away because it was still there in the restore points. And most important, although Avast continued to report that it was there, it was completely harmless in the restore points. > I'm > sorry I can't be more specific. Had I known you would have asked, I > would have taken notes ;-) > > -- > C -- Ken Blake, Microsoft MVP (Windows Desktop Experience) since 2003 Please Reply to the Newsgroup
From: C on 11 Mar 2010 13:08 Ken Blake, MVP wrote: >> It was a long time ago and my recollection is that I zapped a virus with >> Avast and it kept coming back until I nuked all the restore points. > > > It undoubtedly came back in the sense that Avast continued to report > its presence. However it never really went away because it was still > there in the restore points. > > And most important, although Avast continued to report that it was > there, it was completely harmless in the restore points. > > >> I'm >> sorry I can't be more specific. Had I known you would have asked, I >> would have taken notes ;-) >> >> -- >> C > That's not the only place where Avast reported that it was. It kept putting itself back into Windows/System32. Once I nuked the one in System 32 and flushed the restore points, no more virus anywhere. -- C
From: philo on 12 Mar 2010 17:01 MowGreen wrote: > C wrote: >> Eric wrote: >>> We've encountered a virus on one of our windows xp professional >>> machines. It locks the computer up at random intervals. We've cleaned >>> the computer using multiple different anti-viruses which fixes the >>> problem for a time, however the virus always comes back within a day. >>> We've used anti-rootkits and found nothing as well. >>> It also seems to only lock the computer up if it is connected with the >>> ethernet cable. >>> Any suggestions would be greatly appreciated. >> >> Try removing all the system restore points after doing another malware >> clean up as malware can hang out in there. >> > > Let's end this misconception, misunderstanding, or miscomprehension - > > *** Malware in System Restore can *NOT* infect a clean OS and is *not* > active unless a restore point that includes it is used *** > Period !!! > > MowGreen > ================ > *-343-* FDNY > Never Forgotten > ================ > > banthecheck.com > "Security updates should *never* have *non-security content* prechecked Nope. About a year ago I repaired a machine that had been compromised. It had been used for on-line banking and credit card transactions and two accounts had been hacked. First thing I did was scan for root kits in all the places one would expect. Nothing found. After giving the machine a thorough scan... the root kit was found "hiding" in the restore volume!
From: PA Bear [MS MVP] on 12 Mar 2010 19:56
philo wrote: <snip> > About a year ago I repaired a machine that had been compromised. > > It had been used for on-line banking and credit card transactions > and two accounts had been hacked. > > First thing I did was scan for root kits in all the places one would > expect. > > Nothing found. > > After giving the machine a thorough scan... > the root kit was found "hiding" in the restore volume! So what? That "restore volume" wasn't active & posed no threat unless you or the user selected that particular Restore Point. As for detecting rootkits: Backdoor.Tidserv [AKA Win32/Alureon] and MS10-015 <QP> Backdoor.Tidserv does a very good job in that sense, especially with the latest version (TDL3), which uses an advanced rootkit technology to hide its presence on a system by infecting one of the low-level kernel drivers and then covering its tracks. *While the rootkit is active there is no easy way to detect the infection*, and because it goes so deep into the kernel, most users cannot see anything wrong in the system...Even worse, because the infected driver is critical for system boot-up, Windows will not boot in Safe Mode either [after having installed MS10-015 on an infected machine]. [*emphasis mine*] </QP> http://www.symantec.com/connect/blogs/tidserv-and-ms10-015 Tdss rootkit silently owns the net <QP> Tdss rootkit 3rd variant is the last member of Tdss rootkit family that is quickly spreading around the world. While a number of rootkits are just developed as a proof of concept, this is not the case. Tdss rootkit is well known to antivirus companies because of its goal to get total control of the infected PCs and using them as zombies for its botnet. During these years it has always shown a team of skilled people behind it, who always applied advanced techniques *often able to bypass antirootkit softwares*. Actually, this last variant could be easily named as the stealthiest rootkit in the wild. This infection is bringing all together the best of MBR rootkit, the best of Rustock.C and the experience of old Tdss variants. Result is an infection that is quickly spreading on the net and it is *undetected by almost every security software and 3rd party anti rootkit software*. ....currently [20 Nov-09] *no antirootkit is able to bypass disk filtering technique* used by Tdss rootkit but, even if it was possible, this rootkit could not be detected by file size cross check because file size of the original and infected files are exactly the same. [*emphasis mine*] </QP> http://www.prevx.com/blog/139/Tdss-rootkit-silently-owns-the-net.html |