Do I have a virus?

November 11, 2008

"Bill Ridgeway" <info@1001solutions.co.uk> wrote in message

news:Oght5j9QJHA.420@TK2MSFTNGP03.phx.gbl...

> Ã˜yvind Granberg" wrote <<Sorry....! Some snipping went wrong...>>

>

> A sentence you don't want to hear from your surgeon. Ouch!

I wouldn't even want to hear "Oops!"

November 11, 2008

"FromTheRafters" <erratic@nomail.afraid.org> wrote in message

news:uBejv9DRJHA.4732@TK2MSFTNGP03.phx.gbl...

> The situation is hopeless style_emoticons/{

>

> Flatten and rebuild - don't worry about how some malware may

> hiding somewhere waiting to reinfest your system. The chances

> are small to begin with, and those cases where it isn't completely

> removed - it is , at least, disabled.

>

> Familiarize yourself with the process, you will be needing it again.

>

> style_emoticons/)

>

--

Hahaha! style_emoticons/

However, 1PW disagrees with you FTR. He (?) said::-

"All good computer technicians will tell you:

During a proper "level and rebuild" operation, absolute strict adherence

to best industry practices and due diligence would have erased and

protected the system from any malware proliferation.

Under the same rules as above, restoring the system from known good

media will render a clean, malware free system. Guaranteed, and without

further qualification".

I'm no guru, but I think he's wrong (sorry Pete!)

Dave

--

November 11, 2008

Hi, it's me again ... :-)

Well, I guess the problem is solved.

I bought, downloaded and installed Malwarebytes Anti Malware for about ?20.

After scanning the system it found 10 infected locations.

Infected by a Trojan.DNS.Changer and a Trojan.Agent

After choosing to remove them all, and a reboot, everything seems to be just

fine.

Really, my friends:

Can I throw out all of my anti-mal/spy/ad/virus-ware and just keep

Malwarebytes? (hehe....?)

Nah.. seriously:

But anwer me this; why didn't Microsoft's Windows Defender, Grisoft's AVG

8, Spybot Search & Destroy and Lavasoft's AdAware stop it from establishing

itself on my system, let alone afterwards find it and erase it, while a

program like Malwarebytes did? I am flabbergasted!

--

Vennlig hilsen

Ã˜yvind Granberg

tresfjording@live.no

www.tresfjording.com

"Ã˜yvind Granberg" <tresfjording@live.no> skrev i nyhetsmeldingen:

8E324C69-BD20-45A4-96B3-709EB6EF18DF@microsoft.com ...

> Hi...

>

> There is a virus in my computer. I am convinced about that.

> I cannot download anything concerning updates to Ad-Aware or Spybot.

> I cannot download anything at all from Microsoft.com like the Outlook

> Connector or anything else I've tried.

> Neither can I download the afore mentioned files from these sites with

> FF3, Google Chrome or Opera 9.26.

>

> When browsing using IE8, I get a message stating that a pop up has been

> prenvented. Even on my own web pages where there is no pop up at all.

>

> Something is preventing me from downloading anything that I can use to

> remove it!?!?!

>

> I need help...

> Running Windows Vista Ultimate with all updates.

> AVG 8 Free

> Windows Defender

> Spybot once a week

> UAC disabled

> Firewall disabled

>

> Tried Bitdefender's online scanner and even that couldn't update it

> definition file.

> I have scanned thouroughly twice with AVG 8

> So too with Spybot and Windows defender.

>

> What is wrong, and how can I get rid of it?

>

> --

>

> Vennlig hilsen

> Ã˜yvind Granberg

>

> tresfjording@live.no

> www.tresfjording.com

November 11, 2008

"~BD~" <~BD~@nomail.afraid.com> wrote in message

news:eSQggDERJHA.3880@TK2MSFTNGP04.phx.gbl...

>

> "FromTheRafters" <erratic@nomail.afraid.org> wrote in message

> news:uBejv9DRJHA.4732@TK2MSFTNGP03.phx.gbl...

>> The situation is hopeless style_emoticons/{

>>

>> Flatten and rebuild - don't worry about how some malware may

>> hiding somewhere waiting to reinfest your system. The chances

>> are small to begin with, and those cases where it isn't completely

>> removed - it is , at least, disabled.

>>

>> Familiarize yourself with the process, you will be needing it again.

>>

>> style_emoticons/)

>>

>

> --

>

> Hahaha! style_emoticons/

>

> However, 1PW disagrees with you FTR. He (?) said::-

>

> "All good computer technicians will tell you:

>

> During a proper "level and rebuild" operation, absolute strict adherence

> to best industry practices and due diligence would have erased and

> protected the system from any malware proliferation.

>

> Under the same rules as above, restoring the system from known good

> media will render a clean, malware free system. Guaranteed, and without

> further qualification".

>

> I'm no guru, but I think he's wrong (sorry Pete!)

He is not incorrect.

November 11, 2008

"Ã˜yvind Granberg" <tresfjording@live.no> wrote in message

news:253C3A03-51AE-4BB1-BA53-04492EC18FD4@microsoft.com...

> Hi, it's me again ... :-)

> Well, I guess the problem is solved.

> I bought, downloaded and installed Malwarebytes Anti Malware for about

> ?20.

> After scanning the system it found 10 infected locations.

> Infected by a Trojan.DNS.Changer and a Trojan.Agent

> After choosing to remove them all, and a reboot, everything seems to be

> just fine.

>

> Really, my friends:

> Can I throw out all of my anti-mal/spy/ad/virus-ware and just keep

> Malwarebytes? (hehe....?)

>

> Nah.. seriously:

> But anwer me this; why didn't Microsoft's Windows Defender, Grisoft's AVG

> 8, Spybot Search & Destroy and Lavasoft's AdAware stop it from

> establishing itself on my system, let alone afterwards find it and erase

> it, while a program like Malwarebytes did? I am flabbergasted!

There are gaps in coverage for all types of anti-malware/adware/spyware

applications. There are overlaps in them also. The more the merrier as far

as that goes - until something conflicts with something else.

November 11, 2008

> ...why didn't Microsoft's Windows Defender, Grisoft's AVG

> 8, Spybot Search & Destroy and Lavasoft's AdAware stop it from

> establishing itself on my system

That's not their job - it's yours !

November 11, 2008

From: "FromTheRafters" <erratic@nomail.afraid.org>

| "Ã˜yvind Granberg" <tresfjording@live.no> wrote in message

| news:253C3A03-51AE-4BB1-BA53-04492EC18FD4@microsoft.com...

>> Hi, it's me again ... :-)

>> Well, I guess the problem is solved.

>> I bought, downloaded and installed Malwarebytes Anti Malware for about

>> ?20.

>> After scanning the system it found 10 infected locations.

>> Infected by a Trojan.DNS.Changer and a Trojan.Agent

>> After choosing to remove them all, and a reboot, everything seems to be

>> just fine.

>> Really, my friends:

>> Can I throw out all of my anti-mal/spy/ad/virus-ware and just keep

>> Malwarebytes? (hehe....?)

>> Nah.. seriously:

>> But anwer me this; why didn't Microsoft's Windows Defender, Grisoft's AVG

>> 8, Spybot Search & Destroy and Lavasoft's AdAware stop it from

>> establishing itself on my system, let alone afterwards find it and erase

>> it, while a program like Malwarebytes did? I am flabbergasted!

| There are gaps in coverage for all types of anti-malware/adware/spyware

| applications. There are overlaps in them also. The more the merrier as far

| as that goes - until something conflicts with something else.

Also I think its due to MBAM's behavioural algorithm. Bruce described it to me and its

eloquent.

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

November 11, 2008

"Ã˜yvind Granberg" <tresfjording@live.no> wrote in message

news:253C3A03-51AE-4BB1-BA53-04492EC18FD4@microsoft.com...

<snip>

> But anwer me this; why didn't Microsoft's Windows Defender, Grisoft's AVG

> 8, Spybot Search & Destroy and Lavasoft's AdAware stop it from

> establishing itself on my system, let alone afterwards find it and erase

> it, while a program like Malwarebytes did? I am flabbergasted!

>

> --

Maybe you have heard about 'turning Queen's evidence' OG?

http://www.answers.com/topic/turn-state-s-evidence

Maybe a black hat or two has/have switched sides and is/are better equiped

to help develop this relatively new anti-malware facility known as

Malwarebytes. style_emoticons/

Please note, though, that it is NOT an anti-virus programme - you will still

need one of those!

Dave

November 11, 2008

"FromTheRafters" <erratic@nomail.afraid.org> wrote in message

news:eD6oUjERJHA.1164@TK2MSFTNGP03.phx.gbl...

>

<snip>

>> However, 1PW disagrees with you FTR. He (?) said::-

>>

>> "All good computer technicians will tell you:

>>

>> During a proper "level and rebuild" operation, absolute strict adherence

>> to best industry practices and due diligence would have erased and

>> protected the system from any malware proliferation.

>>

>> Under the same rules as above, restoring the system from known good

>> media will render a clean, malware free system. Guaranteed, and without

>> further qualification".

>>

>> I'm no guru, but I think he's wrong (sorry Pete!)

>

> He is not incorrect.

Have you time to explain, FTR?

Maybe I mis-understood.

I thought we had established that ........ um ....... 'code' could remain

(somewhere) within a machine (even if a shiny brand new hard disk was

installed) - albeit inactive - until . just possibly, it could join forces

with additional elements captured from the Internet.

Your further thoughts would be most welcome.

Dave

--

November 11, 2008

On 11/11/2008 01:03 PM, ~BD~ sent:

> "FromTheRafters" <erratic@nomail.afraid.org> wrote in message

> news:uBejv9DRJHA.4732@TK2MSFTNGP03.phx.gbl...

>> The situation is hopeless style_emoticons/{

>>

>> Flatten and rebuild - don't worry about how some malware may

>> hiding somewhere waiting to reinfest your system. The chances

>> are small to begin with, and those cases where it isn't completely

>> removed - it is , at least, disabled.

>>

>> Familiarize yourself with the process, you will be needing it again.

>>

>> style_emoticons/)

>>

>

> --

>

> Hahaha! style_emoticons/

>

> However, 1PW disagrees with you FTR. He (?) said::-

>

> "All good computer technicians will tell you:

>

> During a proper "level and rebuild" operation, absolute strict adherence

> to best industry practices and due diligence would have erased and

> protected the system from any malware proliferation.

>

> Under the same rules as above, restoring the system from known good

> media will render a clean, malware free system. Guaranteed, and without

> further qualification".

>

> I'm no guru, but I think he's wrong (sorry Pete!)

>

> Dave

Hi Dave:

I'll just paraphrase here: "I don't agree with what you said, but I will

defend to the death your right to say it..."

Pete

--

1PW

@?6A62?FEH9:DE=6o2@=]4@> [r4o7t]

November 11, 2008

On 11/11/2008 02:04 PM, FromTheRafters sent:

Snip, snip...

> There are gaps in coverage for all types of anti-malware/adware/spyware

> applications. There are overlaps in them also. The more the merrier as far

> as that goes - until something conflicts with something else.

Probably for years to come, these words are suitable for framing. Well

said FTR.

--

1PW

@?6A62?FEH9:DE=6o2@=]4@> [r4o7t]

November 12, 2008

On 11/11/2008 01:17 PM, Ã˜yvind Granberg sent:

> Hi, it's me again ... :-)

> Well, I guess the problem is solved.

Snip, snip...

Hello Ã˜G:

It's simply splendid that your system is OK now. I am very happy for

you.

Using the gentlest and most respectful terms; the absolute first reply

to your original post would have shown you the path - two days ago.

I do hope we have gained an evangelist for safe computing.

Now - the posts of others in this, and similar, newsgroups will spell

out the many effective procedures for self protection. What will you

do now?

Warm regards and good wishes to you.

Pete

--

1PW

@?6A62?FEH9:DE=6o2@=]4@> [r4o7t]

November 12, 2008

"~BD~" <~BD~@nomail.afraid.com> wrote in message

news:erwON2ERJHA.420@TK2MSFTNGP03.phx.gbl...

>

> "FromTheRafters" <erratic@nomail.afraid.org> wrote in message

> news:eD6oUjERJHA.1164@TK2MSFTNGP03.phx.gbl...

>>

>

> <snip>

>

>>> However, 1PW disagrees with you FTR. He (?) said::-

>>>

>>> "All good computer technicians will tell you:

>>>

>>> During a proper "level and rebuild" operation, absolute strict adherence

>>> to best industry practices and due diligence would have erased and

>>> protected the system from any malware proliferation.

>>>

>>> Under the same rules as above, restoring the system from known good

>>> media will render a clean, malware free system. Guaranteed, and without

>>> further qualification".

>>>

>>> I'm no guru, but I think he's wrong (sorry Pete!)

>

>

>>

>> He is not incorrect.

>

> Have you time to explain, FTR?

>

> Maybe I mis-understood.

>

> I thought we had established that ........ um ....... 'code' could

> remain (somewhere) within a machine (even if a shiny brand new hard disk

> was installed) - albeit inactive -

So far so good, but here's where you might have misunderstood.

> until . just possibly, it could join forces with additional elements

> captured from the Internet.

Any foreign code residing in EEPROM would still run during boot.

Any code that belonged there but had been relocated to disk by the

infecting malware, wouldn't (obviously). You end up with corruption

in EEPROM but no malware.

If there is malware ITW actively flashing EEPROM then a proper

[whatever he said] with strict adherence to [what he said] would

have to include reflashing EEPROMs with the proper code.

It seems he chose his words carefully.

He also didn't suggest bringing back any programs from outside of

the "known good media". At that point it is as free of malware as it

was when new. His statement is correct.

November 12, 2008

On 11/11/2008 06:06 PM, FromTheRafters sent:

Snip, snip...

>> Maybe I mis-understood.

>>

>> I thought we had established that ........ um ....... 'code' could

>> remain (somewhere) within a machine (even if a shiny brand new hard disk

>> was installed) - albeit inactive -

>

> So far so good, but here's where you might have misunderstood.

>

>> until . just possibly, it could join forces with additional elements

>> captured from the Internet.

>

> Any foreign code residing in EEPROM would still run during boot.

> Any code that belonged there but had been relocated to disk by the

> infecting malware, wouldn't (obviously). You end up with corruption

> in EEPROM but no malware.

>

> If there is malware ITW actively flashing EEPROM then a proper

> [whatever he said] with strict adherence to [what he said] would

> have to include reflashing EEPROMs with the proper code.

....and of course reflashing would render new/good checksums for both

BIOS and CMOS, individually . Malware that /had/ flashed an EEPROM,

would have had to account for the current configuration and many custom

values, only usable then and there. The amount of code to support such

activities, even if written in assembler, would make the size of the

malware much greater and much more noticeable.

Malware only has a few places to hide. Careful cleaning of all those

places will make the problem cease to exist. In everyday practice,

most malware just lives on one's hard disk drive.

> It seems he chose his words carefully.

> He also didn't suggest bringing back any programs from outside of

> the "known good media". At that point it is as free of malware as it

> was when new. His statement is correct.

With every keystroke, I was besieged by multitudes of attorneys... :-)

Comedy aside, I'm sure you'd agree that if a flawless procedure isn't

adhered to, an exercise in futility might result. Now - how do we tell

the world?

Peace be with you always FTR.

Pete

--

1PW

@?6A62?FEH9:DE=6o2@=]4@> [r4o7t]

November 12, 2008

Hi 1PW

According to my wife nothing will change and I will go about my life as

usual.

Are there lessons to be learned?

Yes, of course. But let me assure you that your advice regarding the process

of removing unwanted malware, was read and acknowledged early on in this

thread.

But, as an old man learning about computer twenty five years ago when

everything was free, I was reluctant to jump into my wallet and shuffle out

buckets of money to any, for me, unknown anti malware producer on the net.

I had to check around to see if this Malwarebytes was the real McCoy or just

another adware trap.

Googling around surfaced a lot of suggestions to a solution, some involving

dubious methods including shutting down firewalls and antivirus software. A

man must be cautious, you know.

Action taken:

Well, I have restartet my MS firewall. Zonealarm or Kerio or any other

similar software will not be installed due to too much inconvenience, i.e.

network wise.

So let me, here at the end, thank you all for all possible and valuable help

regarding the removal of the Trojan.DNS.Change virus, and let me tell you

that newsgroups have, for me, always been a never ending source of

information I will continue to explore in yet another twenty five years...

(I hope)

Again, thanks to you all...

--

Vennlig hilsen

Ã˜yvind Granberg

tresfjording@live.no

www.tresfjording.com

"1PW" <barcrnahgjuvfgyr@nby.pbz> skrev i nyhetsmeldingen:

gfd719$8i9$1@registered.motzarella.org ...

> On 11/11/2008 01:17 PM, Ã˜yvind Granberg sent:

>> Hi, it's me again ... :-)

>> Well, I guess the problem is solved.

>

> Snip, snip...

>

> Hello Ã˜G:

>

> It's simply splendid that your system is OK now. I am very happy for

> you.

>

> Using the gentlest and most respectful terms; the absolute first reply

> to your original post would have shown you the path - two days ago.

>

> I do hope we have gained an evangelist for safe computing.

>

> Now - the posts of others in this, and similar, newsgroups will spell

> out the many effective procedures for self protection. What will you

> do now?

>

> Warm regards and good wishes to you.

>

> Pete

>

> --

> 1PW

>

> @?6A62?FEH9:DE=6o2@=]4@> [r4o7t]

November 12, 2008

"1PW" <barcrnahgjuvfgyr@nby.pbz> wrote in message

news:gfd5h8$ruj$1@registered.motzarella.org...

>

> Hi Dave:

>

> I'll just paraphrase here: "I don't agree with what you said, but I will

> defend to the death your right to say it..."

>

> Pete

>

> --

> 1PW

>

> @?6A62?FEH9:DE=6o2@=]4@> [r4o7t]

--

Thank you, Pete! style_emoticons/))

November 12, 2008

"FromTheRafters" <erratic@nomail.afraid.org> wrote in message

news:ONaHNtGRJHA.588@TK2MSFTNGP06.phx.gbl...

>

> "~BD~" <~BD~@nomail.afraid.com> wrote in message

> news:erwON2ERJHA.420@TK2MSFTNGP03.phx.gbl...

>>

>> "FromTheRafters" <erratic@nomail.afraid.org> wrote in message

>> news:eD6oUjERJHA.1164@TK2MSFTNGP03.phx.gbl...

>>>

>>

>> <snip>

>>

>>>> However, 1PW disagrees with you FTR. He (?) said::-

>>>>

>>>> "All good computer technicians will tell you:

>>>>

>>>> During a proper "level and rebuild" operation, absolute strict

>>>> adherence

>>>> to best industry practices and due diligence would have erased and

>>>> protected the system from any malware proliferation.

>>>>

>>>> Under the same rules as above, restoring the system from known good

>>>> media will render a clean, malware free system. Guaranteed, and

>>>> without

>>>> further qualification".

>>>>

>>>> I'm no guru, but I think he's wrong (sorry Pete!)

>>

>>

>>>

>>> He is not incorrect.

>>

>> Have you time to explain, FTR?

>>

>> Maybe I mis-understood.

>>

>> I thought we had established that ........ um ....... 'code' could

>> remain (somewhere) within a machine (even if a shiny brand new hard disk

>> was installed) - albeit inactive -

>

> So far so good, but here's where you might have misunderstood.

>

>> until . just possibly, it could join forces with additional elements

>> captured from the Internet.

>

> Any foreign code residing in EEPROM would still run during boot.

> Any code that belonged there but had been relocated to disk by the

> infecting malware, wouldn't (obviously). You end up with corruption

> in EEPROM but no malware.

>

> If there is malware ITW actively flashing EEPROM then a proper

> [whatever he said] with strict adherence to [what he said] would

> have to include reflashing EEPROMs with the proper code.

>

> It seems he chose his words carefully.

>

> He also didn't suggest bringing back any programs from outside of

> the "known good media". At that point it is as free of malware as it

> was when new. His statement is correct.

>

Thank you for explaining in more detail, FTR. style_emoticons/)

I've subsequently spent much time today 'Googling' - and learning new

things!

Now I'm wondering if there is some way that I could read the 'instructions'

stored in the EEPROM - BIOS chip in my previous vocabulary (!). Perhaps you

will advise if this is possible and, if so, just how I may do so.

I really do appreciate you helping me to understand these matters. Thanks

again.

Dave

--

November 12, 2008

"1PW" <barcrnahgjuvfgyr@nby.pbz> wrote in message

news:gfdjnn$9nc$1@registered.motzarella.org...

> On 11/11/2008 06:06 PM, FromTheRafters sent:

>

> Snip, snip...

>> [whatever he said] with strict adherence to [what he said] would

>> have to include reflashing EEPROMs with the proper code.

>

> ...and of course reflashing would render new/good checksums for both

> BIOS and CMOS, individually . Malware that /had/ flashed an EEPROM,

> would have had to account for the current configuration and many custom

> values, only usable then and there. The amount of code to support such

> activities, even if written in assembler, would make the size of the

> malware much greater and much more noticeable.

Might not the required malicious code be introduced to a machine via a

'set-up' CD (or even a floppy disk) which has been 'doctored' shall I say?

Or maybe a programme deliberately and conciously downloaded and installed by

the user, albeit unwittingly?

> Malware only has a few places to hide. Careful cleaning of all those

> places will make the problem cease to exist. In everyday practice,

> most malware just lives on one's hard disk drive.

I note your precision, Pete - and I unreservedly apologise for my doubts.

I'm sorry and trust you will forgive me.

I have been trying to remember if I have ever seen folk visiting 'help'

forums being given 'advice' on cleaning data which is not on their hard

disks.

I must have seen reference to clearing the CMOS because I can remember

carrying out the instructions set out here (or similar!)

http://forum.msi.com.tw/index.php?PHPSESSI...adid=31222&sid=

It is quite some time since I've done so - I ended up scraping my previous

machine because I was convinced that a 'gremlin' remained within it!

>> It seems he chose his words carefully.

Indeed it seems so! Now I feel somewhat foolish. style_emoticons/

>> He also didn't suggest bringing back any programs from outside of

>> the "known good media". At that point it is as free of malware as it

>> was when new. His statement is correct.

I accept that Pete's statement is correct.

I confess, though, that I am not sure what was/is meant by "bringing back

any programs from outside of the known good media". Further advice would be

appreciated.

> With every keystroke, I was besieged by multitudes of attorneys... :-)

>

> Comedy aside, I'm sure you'd agree that if a flawless procedure isn't

> adhered to, an exercise in futility might result.

From what you have said (and reading between the lines for me!) all the work

carried out to 'clean' a hard disk could be rendered useless if action is

not taken to flash the EEPROM as well.

A question though. If a machine is infected in this way, is it not possible

that in trying to use same to obtain replacement BIOS information,

redirection to a 'spoof' site might occur? Would you recommend obtaining the

up-to-date BIOS details from a known clean machine? (i.e. not use the

infected machine at all).

> Now - how do we tell the world?

I'm not sure if you meant this as a serious question but, as a start, it

could be mentioned by all the 'resident' advisers here on the Microsoft

security newsgroups (folk like Robear Dyer, David H Lipman, Malke and Frank

Saunders - to name a few) at the time when they recommend folk visit the

'expert' forums.

> @?6A62?FEH9:DE=6o2@=]4@> [r4o7t]

My expertise in code-breaking has lapsed somewhat, Pete. Will you share with

me the significance of your signature block? style_emoticons/

Bless you

Dave

--

November 13, 2008

On 11/12/2008 03:19 PM, ~BD~ sent:

> "1PW" <barcrnahgjuvfgyr@nby.pbz> wrote in message

> news:gfdjnn$9nc$1@registered.motzarella.org...

>> On 11/11/2008 06:06 PM, FromTheRafters sent:

>>

>> Snip, snip...

>

>>> [whatever he said] with strict adherence to [what he said] would

>>> have to include reflashing EEPROMs with the proper code.

>> ...and of course reflashing would render new/good checksums for both

>> BIOS and CMOS, individually . Malware that /had/ flashed an EEPROM,

>> would have had to account for the current configuration and many custom

>> values, only usable then and there. The amount of code to support such

>> activities, even if written in assembler, would make the size of the

>> malware much greater and much more noticeable.

>

> Might not the required malicious code be introduced to a machine via a

> 'set-up' CD (or even a floppy disk) which has been 'doctored' shall I say?

> Or maybe a program deliberately and consciously downloaded and installed by

> the user, albeit unwittingly?

>

Unreservedly, yes. Healthy skepticism is your best friend at this

point. A good technician would have vetted their own tools before using

them on a client's system.

>

>> Malware only has a few places to hide. Careful cleaning of all those

>> places will make the problem cease to exist. In everyday practice,

>> most malware just lives on one's hard disk drive.

>

> I note your precision, Pete - and I unreservedly apologize for my doubts.

> I'm sorry and trust you will forgive me.

Healthy doubts are your best ally. No apology is required at all.

>

> I have been trying to remember if I have ever seen folk visiting 'help'

> forums being given 'advice' on cleaning data which is not on their hard

> disks.

>

> I must have seen reference to clearing the CMOS because I can remember

> carrying out the instructions set out here (or similar!)

> http://forum.msi.com.tw/index.php?PHPSESSI...adid=31222&sid=

>

> It is quite some time since I've done so - I ended up scraping my previous

> machine because I was convinced that a 'gremlin' remained within it!

>

>

>>> It seems he chose his words carefully.

>

> Indeed it seems so! Now I feel somewhat foolish. style_emoticons/

>

Now, replace that feeling with the knowledge that you've gained. FTR,

David H. Lipman, Malke and others are a wonderful source of knowledge

and experience.

>

>>> He also didn't suggest bringing back any programs from outside of

>>> the "known good media". At that point it is as free of malware as it

>>> was when new. His statement is correct.

>

> I accept that Pete's statement is correct.

>

> I confess, though, that I am not sure what was/is meant by "bringing back

> any programs from outside of the known good media". Further advice would be

> appreciated.

>

The statement is slightly inaccurate. Anything brought back to the

subject PC must be done /through/ known good media. All reasonable

steps must be taken to vet the process. MD5 checksums are certainly one

of them. Re-installing from the provider's media is another. "Here

there be dragons!"

>

>> With every keystroke, I was besieged by multitudes of attorneys... :-)

>>

>> Comedy aside, I'm sure you'd agree that if a flawless procedure isn't

>> adhered to, an exercise in futility might result.

>

> From what you have said (and reading between the lines for me!) all the work

> carried out to 'clean' a hard disk could be rendered useless if action is

> not taken to flash the EEPROM as well.

Perhaps this step can be bypassed if an investigation shows that the

infection(s) was/were limited to the hard disk drive(s).

Your point is not lost on me. However, the bad guy must have written

effective code and that code needs to accomplishes many clever things.

This would need to be done with practical knowledge of /that/

system's architecture and BIOS and/or CMOS. Very challenging indeed.

> A question though. If a machine is infected in this way, is it not possible

> that in trying to use same to obtain replacement BIOS information,

> redirection to a 'spoof' site might occur? Would you recommend obtaining the

> up-to-date BIOS details from a known clean machine? (i.e. not use the

> infected machine at all).

>

The manufacturer's site is probably the best source. The extra benefit

might be an updated BIOS.

>

>> Now - how do we tell the world?

>

> I'm not sure if you meant this as a serious question but, as a start, it

> could be mentioned by all the 'resident' advisers here on the Microsoft

> security newsgroups (folk like Robear Dyer, David H Lipman, Malke and Frank

> Saunders - to name a few) at the time when they recommend folk visit the

> 'expert' forums.

They hide their candles. Amongst our peers they are our experts.

>

Now that you are one of the experts, you may contribute from a point of

experience and authority.

>

>> @?6A62?FEH9:DE=6o2@=]4@> [r4o7t]

>

> My expertise in code-breaking has lapsed somewhat, Pete. Will you share with

> me the significance of your signature block? style_emoticons/

>

The "From" address is ROT13 encoded and the one a few lines above is a

ROT47 encode. Both are meant to increase the degree of difficulty for

harvesters and are an email address I use to divert scams and phishing

messages to. However, I do check it frequently for content.

>

> Bless you

>

> Dave

>

Peace be with you Dave.

--

1PW

@?6A62?FEH9:DE=6o2@=]4@> [r4o7t]

November 13, 2008

"1PW" <barcrnahgjuvfgyr@nby.pbz> wrote in message

news:gfdjnn$9nc$1@registered.motzarella.org...

> On 11/11/2008 06:06 PM, FromTheRafters sent:

>

> Snip, snip...

>

>>> Maybe I mis-understood.

>>>

>>> I thought we had established that ........ um ....... 'code' could

>>> remain (somewhere) within a machine (even if a shiny brand new hard disk

>>> was installed) - albeit inactive -

>>

>> So far so good, but here's where you might have misunderstood.

>>

>>> until . just possibly, it could join forces with additional elements

>>> captured from the Internet.

>>

>> Any foreign code residing in EEPROM would still run during boot.

>> Any code that belonged there but had been relocated to disk by the

>> infecting malware, wouldn't (obviously). You end up with corruption

>> in EEPROM but no malware.

>>

>> If there is malware ITW actively flashing EEPROM then a proper

>> [whatever he said] with strict adherence to [what he said] would

>> have to include reflashing EEPROMs with the proper code.

>

> ...and of course reflashing would render new/good checksums for both

> BIOS and CMOS, individually . Malware that /had/ flashed an EEPROM,

> would have had to account for the current configuration and many custom

> values, only usable then and there. The amount of code to support such

> activities, even if written in assembler, would make the size of the

> malware much greater and much more noticeable.

Yeah, chances are if such a method were used it would be for a very

specific target.

> Malware only has a few places to hide. Careful cleaning of all those

> places will make the problem cease to exist. In everyday practice,

> most malware just lives on one's hard disk drive.

....but because it is only most and not all , TPM becomes necessary.

>> It seems he chose his words carefully.

>

>> He also didn't suggest bringing back any programs from outside of

>> the "known good media". At that point it is as free of malware as it

>> was when new. His statement is correct.

>

> With every keystroke, I was besieged by multitudes of attorneys... :-)

style_emoticons/D

> Comedy aside, I'm sure you'd agree that if a flawless procedure isn't

> adhered to, an exercise in futility might result. Now - how do we tell

> the world?

Anything worth doing, is worth doing right.

(I didn't say that - someone else did, maybe it was that Greek fella ~

Anonymous)

> Peace be with you always FTR.

Thanks, and with you as well.

November 13, 2008

> I confess, though, that I am not sure what was/is meant by "bringing back

> any programs from outside of the known good media". Further advice would

> be appreciated.

He basically stipulated that the rebuild part was done without malware.

He defined what wasn't being put back on (malware) by stating that

what was being put back on was indeed clean (known good).

Your favorite gizmos, gadgets, widgets, and gewgaws probably are

not on the known good installation media. You want them back, so

you get them from your backups -- it's "here be dragons" time.

[snip]

> From what you have said (and reading between the lines for me!) all the

> work carried out to 'clean' a hard disk could be rendered useless if

> action is not taken to flash the EEPROM as well.

No, not useless - just incomplete. Would you be satisfied if the procedure

only disabled the malware? Or if it only removed some of it? How about

if it completely removes it but does nothing to correct whatever corruption

the malware caused? To me, I would want a flatten and rebuild to get me

back to a normal state - no ifs ands or buts. Most people have just been

ignoring the off disk code being loaded during boot because it has always

been assumed there is not enough room for any meaningful code to hide

there. Now the 'room' is expanding and it appears the meaningful code

can be made smaller - or rather the scope of 'meaningful' has shrunk.

> A question though. If a machine is infected in this way, is it not

> possible that in trying to use same to obtain replacement BIOS

> information, redirection to a 'spoof' site might occur?

The affected machine shouldn't be on a network of any kind.

> Would you recommend obtaining the up-to-date BIOS details from a known

> clean machine? (i.e. not use the infected machine at all).

Contact the manufacturer(s) of the motherboard (or otherboards) to

get the firmware reflashed with the correct code.

Is this guaranteed 100% malware free you ask??

Interesting point - if it never happened, they wouldn't need to do this:

http://mac.softpedia.com/progClean/iMac-AT...lean-32894.html

>> Now - how do we tell the world?

Whisper it in the streets...if you shout it from the rooftops they'll put

you in the loony-bin.

Ã“Â¿Ã’

(My apology in advance to anyone with a loony second ex-great

stepuncle-in-law twice removed who gets offended by my statement)

[snip]

November 13, 2008

[snippers gone wild]

"On 11/12/2008 03:19 PM, ~BD~ sent:

>> From what you have said (and reading between the lines for me!) all the

>> work

>> carried out to 'clean' a hard disk could be rendered useless if action

>> is

>> not taken to flash the EEPROM as well.

"1PW" <barcrnahgjuvfgyr@nby.pbz> wrote

> Perhaps this step can be bypassed if an investigation shows that the

> infection(s) was/were limited to the hard disk drive(s).

Yes, but this is where flatten and rebuild instead of using malware

detection and removal tools - fails.

Hypothetical situation.

1) I've got 'I don't know what' malware on my system.

2) I'm told 'flatten and rebuild' is the expedient and only 100% sure way.

3) Been there - done that - but now when I boot it freezes with a very

colorful ribbon pattern on the screen just after POST.

November 13, 2008

From: "FromTheRafters" <erratic@nomail.afraid.org>

Please stop engaging this troll. You are only filling his head with ideas he does NOT

understand.

He has already replied to a DNSChanger trojan post with...

"My subsequent discussions now lead me to believe that one needs to clear the

CMOS and probably flash the BIOS too if one wants to be sure of a clean

machine."

Pure FUD.

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

November 13, 2008

"~BD~" <~BD~@nomail.afraid.com> wrote in message

news:OchsASRRJHA.4992@TK2MSFTNGP05.phx.gbl...

> Thank you for explaining in more detail, FTR. style_emoticons/)

You're welcome.

> I've subsequently spent much time today 'Googling' - and learning new

> things!

>

> Now I'm wondering if there is some way that I could read the

> 'instructions' stored in the EEPROM - BIOS chip in my previous vocabulary

> (!). Perhaps you will advise if this is possible and, if so, just how I

> may do so.

It is possible - I don't know exactly how. But just like the MBR,

it is far easier to just overwrite it than it is to inspect it to determine

if it is authentic.

November 13, 2008

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message

news:ekOJ5zdRJHA.4524@TK2MSFTNGP06.phx.gbl...

> From: "FromTheRafters" <erratic@nomail.afraid.org>

>

> Please stop engaging this troll. You are only filling his head with ideas

> he does NOT

> understand.

>

> He has already replied to a DNSChanger trojan post with...

> "My subsequent discussions now lead me to believe that one needs to clear

> the

> CMOS and probably flash the BIOS too if one wants to be sure of a clean

> machine."

>

> Pure FUD.

Sorry, I guess it is a little like handing a kid a loaded gun.

Sign In

Do I have a virus?

Recommended Posts

Guest FromTheRafters

Popular Days

Popular Days

Guest ~BD~

Guest Ã˜yvind Granberg

Guest FromTheRafters

Guest FromTheRafters

Guest FromTheRafters

Guest David H. Lipman

Guest ~BD~

Guest ~BD~

Guest 1PW

Guest 1PW

Guest 1PW

Guest FromTheRafters

Guest 1PW

Guest Ã˜yvind Granberg

Guest ~BD~

Guest ~BD~

Guest ~BD~

Guest 1PW

Guest FromTheRafters

Guest FromTheRafters

Guest FromTheRafters

Guest David H. Lipman

Guest FromTheRafters

Guest FromTheRafters

Join the conversation

Browse

Activity

Support