Guest FromTheRafters Posted October 22, 2008 Posted October 22, 2008 I was speaking in a more general nature, analogous to someone asking if their rat infestation in their basement can be irradicated by removing everything and exterminating all of the rats in the basement. If indeed all of the rats are exterminated, the basement is clean. My point was that attic rats or rats hiding in what was taken out before the erradication process could reinfest the basement once returned. Assuming the computer was not connected to any network until after SP3 and IE7 were installed, it looks like you did everything right. "ElizaDoolittle" <ElizaDoolittle@discussions.microsoft.com> wrote in message news:8705773B-0940-41C4-9945-FA4A78DDB05E@microsoft.com...<span style="color:blue"> > Thanks for your reply, Rafters. > > Are we all equally vulnerable to this thing by simply re-installing > Windows, > or am I just specially blessed? > > As God is my witness, the only things I have done after the full, write-0s > reformat is install WindowsXPPro SP2 from a retail disk, and then, from > disks > downloaded at a computer not part of my network, install SP3, IE7 and the > aforementioned Package Installer updates. > > Even before I install the updates, I see these logfile entries and other > stuff mentioned in my note to PA Bear above: > > --HiPerfCooker, CmdTriggerConsumer, and Rsop Planning Mode provider > "warnings" using terms like "failure to impersonate" and described my > other > long-winded postings. > > --Even though there is no Web Based Enterprise Management system that I > have set up, but there sure is evidence that someone has. Curiously, I > find > things in > the WBEM logs that have lines in them including, > --BSTR Query = SELECT FROM __InstanceOperationEvent WHERE TargetInstance > ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' > --ESS is now open for business > > > > > > "FromTheRafters" wrote: ><span style="color:green"><span style="color:darkred"> >> > That is, are there documented cases where you can't get rid of the >> > buggers, whether you do a full-format reinstall of the disk, or use a >> > Windows > > 98 disk to do fdisk/mbr, use things like DBAN or KILLDISK >> > to write 0s to the hard >> > drive?</span> >> >> Yes, but in those cases the infection or vulnerability was brought >> back to the system rather than having survived such tactics. For >> example reintroducing the vulnerability which led to the intitial >> attack (i.e. reinstalling Windows) or perhaps restoring some >> program or data from a backup that had been tainted. >></span> > </span> Quote
Guest ~BD~ Posted October 22, 2008 Posted October 22, 2008 "FromTheRafters" <erratic@nomail.afraid.org> wrote in message news:emaLiKENJHA.740@TK2MSFTNGP03.phx.gbl...<span style="color:blue"> > Many posters have taken the time to answer your questions > (in fact this very topic was discussed) in the past. Having > expended the effort to explain, you return to ask the same > or remarkably similar question later on as if you didn't even > read their well stated response. Conversing with you can be > an excercise in futility, and it is no wonder that some have > given up.</span> I once used to believe everything I saw 'on-screen' - nowadays I need to understand matters before I will accept things. You are one of the few folk in this group who has had the patience to provide explanations, rather than just state things and expect me to accept same without question. For that I thank you. <span style="color:blue"> > As to your requests, PA Bear will do as he pleases when > and if the OP requests an explanation of what "Yes" means.</span> He most certainly will (do as he pleases). He would never give me an explanation of exactly what he might have meant by a 'yes' response. style_emoticons/ <span style="color:blue"> > I will not endeavor to answer you again about whether or not > malware can survive certain actions taken against data on disk,</span> You don't appear - to me anyway - to have said exactly the same as 'drdos' when he said in that Kaspersky Forum thread ....... "Performing an standard Disk Format and Reinstall of the Operating System will render common infections incompatible, but not all Rootkits and its accompanying payload of malware.....Rootkits work from outside the Operating System and can hide in Bad Sectors of the Hard Disk thus have places to hide on the Hard Disk that are essentially outside the Operating Systems environment, untouchable by it, yet still at hand..... Most wiping, erasing, formatting, and partitioning tools will not overwrite logical bad sectors on the Disk, leaving the Rootkits and their accompanying payload of malware behind and still active..... Rootkits in themselves are not an threat.....the danger is that Rootkits have the invincible power of Stealth.....Malicious Programmers can hide their malware safely inside the protection of the Rootkit..... Rootkits reside in the Root of things, thus the name 'Root' that service as an protective container for the accompanying payload of malware, or on the bright side, the accompanying payload of Software Code with productive, safe intentions, together they are an 'KIT'.....thus the name 'ROOTKIT'.....and Rootkits are not an joke..... Once the Computer is compromised by an Rootkit with its accompanying payload of malware, all files in the System can not be trusted and are likely infected.....this includes all the System files, Software, backups, removable disks, and restore points..... Rootkits can not only hide themselves in Bad Sectors of Hard Disks, they can also hide themselves in the Boot Sectors of Hard Disks, CD/DVD, and Floppy Disks..... Rootkits can also hide in the Firmware of Hardware Components, in the BIOS, Motherboard, Video-card EEPROM or Alternate Data Streams..... Rootkits hide their processes, files, and folders by using sophisticated hooking and filtering techniques. As a result, traditional methods of viewing the system state typically return no indication of foul play.....the Rootkit makes sure of that. When an Rootkit is cloaked, system utilities such as Task Manager, Regedit, will not be able to expose the processes and Registry data that should betray the presence of the Rootkit. The lurking Rootkit files will not be viewable in Windows Explorer or even via the command line.....The Rootkit needs to be uncloaked, in return the Malware Components it was hiding become uncloaked as well..... -drdos " <span style="color:blue"> > but I am not yet to the point of completely ignoring you.</span> That's good to know! style_emoticons/) Dave -- Quote
Guest PA Bear [MS MVP] Posted October 22, 2008 Posted October 22, 2008 Methods 1 or 2 in KB943144 should resolve all of your issues, Eliza. If not, open a free support incident or take your machine to a loca, reputable, and independent shop (i.e., NOT Circuit City or any other BigBoxStore USA or Geek Squad). ElizaDoolittle wrote:<span style="color:blue"> > PA Bear, thanks for your kind, patient and knowledgeable replies. I am > going > to put a check mark on this one, and the one with the ><span style="color:green"> >> 1. Were you able to successfully install all critical security updates >> offered after you'd done Methods 1 or 2 in KB943144??</span> > > Not exactly. Please be > patient once again with my long-winded (or detailed, as you prefer) reply.</span> <snip> Quote
Guest PA Bear [MS MVP] Posted October 22, 2008 Posted October 22, 2008 [Please don't feed the troll. THX] FromTheRafters wrote:<span style="color:blue"> > Many posters have taken the time to answer your questions > (in fact this very topic was discussed) in the past. Having > expended the effort to explain, you return to ask the same > or remarkably similar question later on as if you didn't even > read their well stated response. Conversing with you can be > an excercise in futility, and it is no wonder that some have > given up. > > As to your requests, PA Bear will do as he pleases when > and if the OP requests an explanation of what "Yes" means. > > I will not endeavor to answer you again about whether or not > malware can survive certain actions taken against data on disk, > but I am not yet to the point of completely ignoring you. > > "~BD~" <~BD~@no.mail.afraid.com> wrote in message > news:Os1mY2ANJHA.1160@TK2MSFTNGP04.phx.gbl...<span style="color:green"> >> >> "FromTheRafters" <erratic@nomail.afraid.org> wrote in message >> news:%23VD9XS9MJHA.456@TK2MSFTNGP06.phx.gbl...<span style="color:darkred"> >>> >>> "ElizaDoolittle" <ElizaDoolittle@discussions.microsoft.com> wrote in >>> message news:622FFA96-D60A-4521-9201-29104C349456@microsoft.com... >>>> And here's another, related question that I started to post as a new >>>> one: >>>> Are there known viruses or other intruders that have been documented as >>>> being >>>> able to survive a full nuke and burn of the hard drive? >>> >>> No, not on that harddrive. As long as your definition of >>> "full nuke" and "burn" includes all data on that disk being >>> overwritten. >>> >>> ...and by "data" I mean code as well - it is all data on disk >>> >>>> That is, are there documented cases where you can't get rid of the >>>> buggers, >>>> whether you do a full-format reinstall of the disk, or use a Windows 98 >>>> disk >>>> to do fdisk/mbr, use things like DBAN or KILLDISK to write 0s to the >>>> hard >>>> drive? >>> >>> Yes, but in those cases the infection or vulnerability was brought >>> back to the system rather than having survived such tactics. For >>> example reintroducing the vulnerability which led to the intitial >>> attack (i.e. reinstalling Windows) or perhaps restoring some >>> program or data from a backup that had been tainted. >>> >>> >>></span> >> >> Hi FTR style_emoticons/ >> >> I should be grateful if you would:- >> >> 1. Ask PABear to expand on his answer of simply "Yes" (he won't respond >> to me!) and >> >> 2. Go here >> http://forum.kaspersky.com/index.php?showt...oaterDave&st=40 >> and read post number 46 - then give me your further thoughts please. >> >> Thanks in anticipation of your further guidance. >> >> Dave >> >> -- </span></span> Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.