Arrogance Punished -OR- The Scour ge of thanatoid -OR- I'm "fooqu�" ( as they say in Montreal)... IOW... HELP!!!
in [Viruses]
|
Prev: Arrogance Punished -OR- The Scourge of thanatoid -OR- I'm "fooqu�" (as they say in Montreal)... IOW... HELP!!!
Next: TT Livescan Database Update Information - 7-31-2010
From: FromTheRafters on 31 Jul 2010 08:00 "thanatoid" <waiting(a)the.exit.invalid> wrote in message news:Xns9DC5E578B6BDBthanexit(a)85.214.73.210... > "FromTheRafters" <erratic(a)nomail.afraid.org> wrote in > news:i2vovt$5h4$1(a)news.eternal-september.org: > >> "thanatoid" <waiting(a)the.exit.invalid> wrote in message >> news:Xns9DC5A2AB1103Fthanexit(a)188.40.43.230... > >>> Thanks for the somewhat cryptic-yet-usable reply. >> >> Well, for the sake of completeness, malformed data is well >> known to exploit vulnerabilities in application software. >> Some malware is OS independent and makes use (misuse / >> abuse) of the environment offered by application software. >> The underlying OS has little to nothing to do with it. > > I'm sorry... the terminology has me a little stumped. I assume > "env" means the OS. The environment may be a virtual machine like Java's JVM or an application like "Word" or "Excel" that supports macros, or an OS. > I don't have ANY applications that run in Linux OR Windows, > except from my 5 hrs or so with Linux Mint I see that it appears > to read a DOS CD, so it will probably read a FAT32 Windows drive > as well. I'm not familiar with "Mint", but Linux is capable of working with many filesystems. Even a DOS CD should be readable as all systems will want to access cd roms http://en.wikipedia.org/wiki/ISO_9660 . The ability to read the CD is not an indication that the OS *on* the CD has a supported filesystem. >>> I have to check all the data with a Linux AV program (or >>> two or three). Right? Or is there /even/ more to it? >> >> One AV is plenty. Bear in mind that the AV running on Linux >> (or any other OS) isn't there to protect the machine >> (despite what marketing may tell you), it is there to >> detect viruses and some other malware types. > > That's what I want, just to check the infected drive. Linux should be more than capable of doing so. >> Protecting the >> machine is the administrators job. > > Well, I tried to create myself an admin account in LinuxMint and > all that happened is my entire DL folder (I'm giving in... I > agree to use that despicable term when talking about Linux... In > Windows, it's still *directories*) vaporized. They are still *directories* no matter what OS is being described. The GUI presents them as *folders* though. > I thought flash > sticks SAVED changes? And the reason I needed to be an admin is > that I DL'd a couple of Linux AV packages but the system would > not let a lowly user install ANYTHING. As it *should* be. You need *root* privileges to install most things. > The reason I DL'd a couple of Linux AV's is that the Linux Avira > for Linux boot disk someone else suggested is a ***Windows > exe***, and I only have it (HAD IT before trying to become an > admin) on a USB stick, and my uninfected Win machine is a 95B > with no USB... and 33.6 modem... But I am going to go and DL it > anyway... it should only take 8-15 hours... The burner works > fine, so I will be able to boot the infected machine from it and > check the infected drive. In the case of a boot disk - the boot disk supplies the environment, it might not be a Linux environment, or it may be a Linux environment with a PE loader kernel plug-in to support translating windows executables. >> As for how to scan the >> data, it is entirely up to you. I'm not saying your phantom >> batchfile is likely to exhibit this behavior, just that >> your comments and question- answered may have been >> incomplete. > > Well, aside from taking great offense at my crime of > multiposting to 3 semi-live groups and 1 dead-as-the-Gates-of- > hell group, the second complaint was that my post was the > absolute /opposite/ of incomplete. > > There is NO pleasing humans, is there. There's no pleasing everybody. It is not very likely that your recovered *data* will make you *not* "risk free", but I just thought it was worth mentioning that even bringing *data* from a suspected infested machines' drive has its' caveats. >> On a side note, it may be wrong to assume that a batchfile >> or bash script command console window means that the >> malware is necessarily limited to that environment. An >> exploit can be the 'foot in the door' that gets a command >> shell, and building a script file is no biggie once that is >> accomplished. Executing the script may exploit yet another >> vulnerability for privilege escalation. > > Well, not if you just zap the hard drive...? ??? >>> I am successfully running LinuxMint9 booted from a >>> flashstick, with the infected drive's 2 cables >>> disconnected, on the infected computer. I can get some >>> latest AV software for Linux and test the infected drive. >>> Right? >> >> Yes, as long as the environment supports it. With no >> drives, I don't suppose Linux could have much of a swap >> partition for instance. > > I /thought/ I could partition the flash stick (it is my first > USB device EVER and I got it 3 weeks ago for unrelated reasons - > and I /am/ impressed - but I am not sure of anything ATM. Believe it or not, I have never even held a USB flash stick in my hand. > I'm not sure why I would need a swap drive when I have 1 GB of > memory (I could add the other 1GB stick I have but 98SELite and > XP run perfectly with 1 GB) and run everything from a 4GB flash > stick. Can I use another USB stick and make it a Linux swap > drive? You may be right, with that much memory (and nothing *else* for the OS to do) the absence of a swap partition might be no biggie. [...]
From: FromTheRafters on 1 Aug 2010 11:35 "thanatoid" <waiting(a)the.exit.invalid> wrote in message news:Xns9DC693113C03Ethanexit(a)188.40.43.230... > "FromTheRafters" <erratic(a)nomail.afraid.org> wrote in > news:i31383$h53$1(a)news.eternal-september.org: [...] >> The environment may be a virtual machine like Java's JVM or >> an application like "Word" or "Excel" that supports macros, >> or an OS. > > Thank you. It's so nice to get an actual concise definition > instead of the usual abuse... Most malware naming conventions include, in the name, what environment is required. [...] >> They are still *directories* no matter what OS is being >> described. The GUI presents them as *folders* though. > > I know. I suppose "directories" is just too many syllables. It > really bothers me (I have certain troublesome personality > traits.. ;-) Call them "holes" then - as in 'cubby-hole'. Nobody will know what you mean, but you'll be down to one syllable. :o) > I guess that (and IMO the destruction of music as art and making > it the aural equivalent of chewing gum) is something we can > thank Mr. Jobs for. Are you talking about compression algorithms here? How is Mr. Jobs responsible? The technology was coming like a wave and he was the surfer that caught that wave. >> As it *should* be. You need *root* privileges to install >> most things. > > I suppose you only get those when you do the actual ORIGINAL > install on a *HD*. A corporation would presumably /not/ get some > guy standing at the street corner to INSTALL their Linux network > for a few bottles of Scotch, so when you set up you get to be > the admin and that's the way it should be, of course. No, you should still be able to 'su' or log in as 'root' at the console. [...] > Well, the site claims it is a "Linux-based program" (whatever > THAT means) but as above, you have to make the CD in Windows. > MOST logical. Maybe they use a Linux based kernel due to its small size, and provide just enough functionality to run the scanner and a user interface. As a scaled down Linux aimed at recovering Windows machines they could even omit Linux's support of their own native filesystem. >>>> As for how to scan the >>>> data, it is entirely up to you. I'm not saying your >>>> phantom batchfile is likely to exhibit this behavior, >>>> just that your comments and question- answered may have >>>> been incomplete. >>> >>> Well, aside from taking great offense at my crime of >>> multiposting to 3 semi-live groups and 1 >>> dead-as-the-Gates-of- hell group, the second complaint was >>> that my post was the absolute /opposite/ of incomplete. Some groups have issues, and some don't. [...] >>> [...] Well, not if you just zap the hard drive...? >> >> ??? > > If you low-level format it five times, whatever was EVER on it > should be GONE, right? No need for something so drastic (and isn't that more a factory thing these days?). One shouldn't confuse data recovery measures and malware persistence (malware won't be using a magnetic probe to read your magnetic disks). Formatting may be all that is needed in many cases, re-partitioning for some more sticky ones, and replacement of the MBR in others. In the future we may see other areas being exploited through flashable firmware. >>>>> I am successfully running LinuxMint9 booted from a >>>>> flashstick, with the infected drive's 2 cables >>>>> disconnected, on the infected computer. I can get some >>>>> latest AV software for Linux and test the infected >>>>> drive. Right? >>>> >>>> Yes, as long as the environment supports it. With no >>>> drives, I don't suppose Linux could have much of a swap >>>> partition for instance. > > I found out the hard way I /could/ DL stuff (and possibly copy > to another USB stick - or A HD if a clean one was connected), > but to my surprise, all the DL's evaporated after I rebooted > after crashing after trying to create an admin account. A "Virtual Drive" may have been set up in RAM to act as an attached storage device. It would not be persistent across reboots. [...]
From: thanatoid on 1 Aug 2010 14:25 "FromTheRafters" <erratic(a)nomail.afraid.org> wrote in news:i3448a$trt$1(a)news.eternal-september.org: > "thanatoid" <waiting(a)the.exit.invalid> wrote in message > news:Xns9DC693113C03Ethanexit(a)188.40.43.230... >> "FromTheRafters" <erratic(a)nomail.afraid.org> wrote in >> news:i31383$h53$1(a)news.eternal-september.org: > > [...] > >>> The environment may be a virtual machine like Java's JVM >>> or an application like "Word" or "Excel" that supports >>> macros, or an OS. >> >> Thank you. It's so nice to get an actual concise >> definition instead of the usual abuse... > > Most malware naming conventions include, in the name, what > environment is required. Thank you - and I assume you mean when being discussed by people other than the ones who actually created them - for instance, one of the things the Avira rescue disc found on my machine is called "APPL/Tool.wpakill.AK" - that certainly indicates no specific environment necessary for healthy virus life/propagation - well, it /implies/ w(indows) p(rocess) a(ll), but "Gendal.8624.CV" implies nothing. > [...] > >>> They are still *directories* no matter what OS is being >>> described. The GUI presents them as *folders* though. >> >> I know. I suppose "directories" is just too many >> syllables. It really bothers me (I have certain >> troublesome personality traits.. ;-) > > Call them "holes" then - as in 'cubby-hole'. Nobody will > know what you mean, but you'll be down to one syllable. :o) :-D Not a bad idea! Introduce ANOTHER, almost equally nonsensical term! >> I guess that (and IMO the destruction of music as art and >> making it the aural equivalent of chewing gum) is >> something we can thank Mr. Jobs for. > > Are you talking about compression algorithms here? How is > Mr. Jobs responsible? The technology was coming like a wave > and he was the surfer that caught that wave. No, I am talking about the iPod. I got through the 80's with the Sony Walkman F-10, an absolutely /brilliant/ piece of technology from Sony (when it was still *SONY*), which I used EVERY day for EIGHT years for 4-8 hrs/day - it held ONE cassette in its cassette-box-sized design, and used ONE AA battery. You had to flip the cass. over to listen to the other side - BUT it had an (undocumented) *azimuth adjustment screw* - so I always carried on me (along with 3 extra rech. batteries) a small Philips screwdriver, so that I would hear each cassette in glorious quality almost matching that of a decent home system (it was also the first product with vertical in-the-ear bud headphones). /THAT/ was OK - you listened to 2 albums over and over and REALLY got to know, love and appreciate the music. Stumbling around while messing with the menu of 40,000 songs, while your buddy is connected to the other earbuds, playing 20 sec. snippets while yelling "ya gotta hear THIS, dude!" is NOT appreciating music. Just having more than 10 albums to choose from is a little insane. (IMH old fogey's opinion.) >>> As it *should* be. You need *root* privileges to install >>> most things. >> >> I suppose you only get those when you do the actual >> ORIGINAL install on a *HD*. A corporation would presumably >> /not/ get some guy standing at the street corner to >> INSTALL their Linux network for a few bottles of Scotch, >> so when you set up you get to be the admin and that's the >> way it should be, of course. > > No, you should still be able to 'su' or log in as 'root' at > the console. Ahh... The console... Well, I can do basics in DOS (although I prefer to do them with XTreeGold) but the Linux console is something I hope to be able to avoid... I'm almost 55... And my head is not as functional as it used to be... > [...] > >> Well, the site claims it is a "Linux-based program" >> (whatever THAT means) but as above, you have to make the >> CD in Windows. MOST logical. > > Maybe they use a Linux based kernel due to its small size, > and provide just enough functionality to run the scanner > and a user interface. As a scaled down Linux aimed at > recovering Windows machines they could even omit Linux's > support of their own native filesystem. Well, I dl'd and ran it and I was impressed. Here are the results, with a couple of comments: ================== I DL'd (7 hrs), installed and ran the Avira rescue CD. It took 3:16:45 and I now know I have 558771 files in 24525 directories (on 11 partitions). It DID find some stuff. [It worked like a charm, but it does NOT offer the option of saving the log to a floppy or another CD... So I had to type all this constantly switching between the 2 computers with the KVM... Sigh...] What disturbs me MOST is this: *** AVIRA results Saturday, July 31, 2010 7:58 PM ver. 7.10.10.25 created July 20, 2010 checking MBR of drive 128 checking MBR of drive 129 error [2]: cannot read record auto excluding /sys/ from scan (is special fs) auto excluding /proc from scan (is special fs) *** I have NO idea what the last 2 lines mean (and I don't like them), but the MAIN thing is that if it can't read the MBR of the primary and extended partition, I can only assume that the reason for that is that the MBR's are infected and unreadable. I Googled but without much success - just very general statements. Here are the alerts: ALERT: C:\utils/toggle icons.exe Is the Trojan horse TR/Gendal.12288.CV ALERT: C:\Program Files\Eset\cache\fnd0.nfi Contains detection pattern of the program SPR/Hacktool.215407 ALERT: C:\Program Files\Eset\cache\fnd2.nfi Is the Trojan horse TR/Gendal.8624.CV ALERT: C:\Program Files\Eset\cache\fnd3.nfi Contains detection pattern of the program SPR/Tool.Agent ALERT: C:\Program Files\Eset\infected\mkenznda.nqf Contains detection pattern of the program APPL/Tool.wpakill.AK ALERT: C:\Program Files\something :-# Is the Trojan horse TR/Crypt.XPACK.Gen2 I searched for info on those but it is sketchy and primarily comes from fear-instilling miracle virus remover software sites. I downloaded a couple of rootkit removers mentioned in the Spybot Search & Destroy forums, etc. but I don't want to even try them since it would necessitate booting from that drive - unless I use the uninfected drive 2 to boot from. Some other posters assure me there is NO WAY /any/ virus can spread from a non-booting drive to the booting drive. So I just want to copy what I want to keep and then I'm zapping the whole drive - and I might well stay with the clean 40GB drive 2 because 80GB holds way too much stuff, and even with my 11 partitions and 24525 directories, it is just too much to manage. The dangers of BB... At least with the modem when I dl'd stuff it took so damn long, I had plenty of time to burn/backup. I am also never going online with ANY Windows again. Probably Mint, if it behaves a little better once actually installed on the HD... ======================== >>>>> As for how to scan the >>>>> data, it is entirely up to you. I'm not saying your >>>>> phantom batchfile is likely to exhibit this behavior, >>>>> just that your comments and question- answered may have >>>>> been incomplete. >>>> >>>> Well, aside from taking great offense at my crime of >>>> multiposting to 3 semi-live groups and 1 >>>> dead-as-the-Gates-of- hell group, the second complaint >>>> was that my post was the absolute /opposite/ of >>>> incomplete. > > Some groups have issues, and some don't. > > [...] > >>>> [...] Well, not if you just zap the hard drive...? >>> >>> ??? >> >> If you low-level format it five times, whatever was EVER >> on it should be GONE, right? > > No need for something so drastic (and isn't that more a > factory thing these days?). I found two programs on HDDGURU, one which only runs under Win2000 and up (my clean drive only has 98SELite) and one which runs from a DOS floppy. I hope the commands are not too cryptic and that I manage to run it. (I would hate to add the process of installing XP onto a free partition on the "clean" drive to what already lies ahead of me.) After all the useful data has been copied, I don't have a problem being "drastic" with the drive. /IF/ necessary. The Avira will tell me - all the stuff it found was in the root and C:\, so it won't be another 3.5 hrs... If it can read and "OK" the MBR, I think I can proceed without the LLF. > One shouldn't confuse data recovery measures and malware > persistence (malware won't be using a magnetic probe to > read your magnetic disks). Formatting may be all that is > needed in many cases, re-partitioning for some more sticky > ones, and replacement of the MBR in others. In the future > we may see other areas being exploited through flashable > firmware. It has occurred to me that zeroing the MBR with some Hiren's utility (and deleting all the root files on C:\which contain the XP dual-boot files, just in case) and restoring the MBR from a floppy I made about 1.5 years ago /should/ do it... But I like the idea of the drive being factory-clean. >>>>>> I am successfully running LinuxMint9 booted from a >>>>>> flashstick, with the infected drive's 2 cables >>>>>> disconnected, on the infected computer. I can get some >>>>>> latest AV software for Linux and test the infected >>>>>> drive. Right? >>>>> >>>>> Yes, as long as the environment supports it. With no >>>>> drives, I don't suppose Linux could have much of a swap >>>>> partition for instance. Correct - AND - last night I tried to install to a second USB stick with disastrous results - nothing would boot from /either/ stick afterwards. But my friend (where I dl'd the ISO) still has it on his laptop's HD. >> I found out the hard way I /could/ DL stuff (and possibly >> copy to another USB stick - or A HD if a clean one was >> connected), but to my surprise, all the DL's evaporated >> after I rebooted after crashing after trying to create an >> admin account. > > A "Virtual Drive" may have been set up in RAM to act as an > attached storage device. It would not be persistent across > reboots. That's what I found out... I feel sufficiently reassured that if I boot from my clean drive 2, I will be able to transfer stuff and backup to CDR, and once I have all th stuff I need, I will wipe the infected drive in or another manner. This is the plan for today - boot from the clean drive with the uninfected drive 1 disconnected, just to make SURE it is NOT a hardware problem - as SO MANY have insisted, and then connect the infected drive, wipe/restore/delete the problem areas as described above (just in case), and start the data salvage operation. I appreciate your help very much, you have been most patient.
From: FromTheRafters on 1 Aug 2010 15:24 "thanatoid" <waiting(a)the.exit.invalid> wrote in message news:Xns9DC7888454643thanexit(a)81.169.183.62... > "FromTheRafters" <erratic(a)nomail.afraid.org> wrote in > news:i3448a$trt$1(a)news.eternal-september.org: > >> "thanatoid" <waiting(a)the.exit.invalid> wrote in message >> news:Xns9DC693113C03Ethanexit(a)188.40.43.230... >>> "FromTheRafters" <erratic(a)nomail.afraid.org> wrote in >>> news:i31383$h53$1(a)news.eternal-september.org: >> >> [...] >> >>>> The environment may be a virtual machine like Java's JVM >>>> or an application like "Word" or "Excel" that supports >>>> macros, or an OS. >>> >>> Thank you. It's so nice to get an actual concise >>> definition instead of the usual abuse... >> >> Most malware naming conventions include, in the name, what >> environment is required. > > Thank you - and I assume you mean when being discussed by people > other than the ones who actually created them - for instance, > one of the things the Avira rescue disc found on my machine is > called "APPL/Tool.wpakill.AK" - that certainly indicates no > specific environment necessary for healthy virus > life/propagation - well, it /implies/ w(indows) p(rocess) a(ll), > but "Gendal.8624.CV" implies nothing. Yes, Avira's naming convention ( http://www.avira.ro/en/virus_information/malware_naming_conventions.html ) only partially does this, and Gendal should be prefixed with TR (maybe they name some things with the assumption that the reader will already know the environment it exists in). I was thinking more along the lines of ( http://www.microsoft.com/security/portal/Shared/MalwareNaming.aspx ) >> [...] >> >>>> They are still *directories* no matter what OS is being >>>> described. The GUI presents them as *folders* though. >>> >>> I know. I suppose "directories" is just too many >>> syllables. It really bothers me (I have certain >>> troublesome personality traits.. ;-) >> >> Call them "holes" then - as in 'cubby-hole'. Nobody will >> know what you mean, but you'll be down to one syllable. :o) > > :-D Not a bad idea! Introduce ANOTHER, almost equally > nonsensical term! The slithy toves...all filed away in their respective holes. >>> I guess that (and IMO the destruction of music as art and >>> making it the aural equivalent of chewing gum) is >>> something we can thank Mr. Jobs for. >> >> Are you talking about compression algorithms here? How is >> Mr. Jobs responsible? The technology was coming like a wave >> and he was the surfer that caught that wave. > > No, I am talking about the iPod. I got through the 80's with the > Sony Walkman F-10, an absolutely /brilliant/ piece of technology > from Sony (when it was still *SONY*), which I used EVERY day for > EIGHT years for 4-8 hrs/day - it held ONE cassette in its > cassette-box-sized design, and used ONE AA battery. You had to > flip the cass. over to listen to the other side - BUT it had an > (undocumented) *azimuth adjustment screw* - so I always carried > on me (along with 3 extra rech. batteries) a small Philips > screwdriver, so that I would hear each cassette in glorious > quality almost matching that of a decent home system (it was > also the first product with vertical in-the-ear bud headphones). > > /THAT/ was OK - you listened to 2 albums over and over and > REALLY got to know, love and appreciate the music. > > Stumbling around while messing with the menu of 40,000 songs, > while your buddy is connected to the other earbuds, playing 20 > sec. snippets while yelling "ya gotta hear THIS, dude!" is NOT > appreciating music. Just having more than 10 albums to choose > from is a little insane. (IMH old fogey's opinion.) I understand. BTW, that all wouldn't have been possible without the aforementioned compression technology. If he hadn't created the iPod, some other visionary surely would have. He is not responsible for what society does with the technology. [...] > Ahh... The console... Well, I can do basics in DOS (although I > prefer to do them with XTreeGold) but the Linux console is > something I hope to be able to avoid... I'm almost 55... And my > head is not as functional as it used to be... You're my age, but I've been computering since '72. Reading the "man pages" can be a challenge. Type "man" at the prompt, it's kinda like typing "help" at the command prompt in dos. It mostly all in there, and written by many different people some of which have learned English as a second or third language. Typing "man su" should (IIRC) bring up a page describing how to use the 'su' command. >>> Well, the site claims it is a "Linux-based program" >>> (whatever THAT means) but as above, you have to make the >>> CD in Windows. MOST logical. >> >> Maybe they use a Linux based kernel due to its small size, >> and provide just enough functionality to run the scanner >> and a user interface. As a scaled down Linux aimed at >> recovering Windows machines they could even omit Linux's >> support of their own native filesystem. > > Well, I dl'd and ran it and I was impressed. Here are the > results, with a couple of comments: > > ================== > I DL'd (7 hrs), installed and ran the Avira rescue CD. > It took 3:16:45 and I now know I have 558771 files in 24525 > directories (on 11 partitions). > > It DID find some stuff. [It worked like a charm, but it does NOT > offer the option of saving the log to a floppy or another CD... > So I had to type all this constantly switching between the 2 > computers with the KVM... Sigh...] > > What disturbs me MOST is this: > > *** > AVIRA results > Saturday, July 31, 2010 > 7:58 PM > > ver. 7.10.10.25 created July 20, 2010 > > checking MBR of drive 128 > checking MBR of drive 129 > error [2]: cannot read record I don't know what is happening to cause this. > auto excluding /sys/ from scan (is special fs) > auto excluding /proc from scan (is special fs) Linux chooses other objects than only directories to display 'as if' they were directories, for instance the /proc (folder) is the process list (scheduler) not a 'hole' for storing files. :o) > *** > > I have NO idea what the last 2 lines mean (and I don't like > them), but the MAIN thing is that if it can't read the MBR of > the primary and extended partition, I can only assume that the > reason for that is that the MBR's are infected and unreadable. I > Googled but without much success - just very general statements. > > Here are the alerts: > > ALERT: > C:\utils/toggle icons.exe > Is the Trojan horse TR/Gendal.12288.CV > > ALERT: > C:\Program Files\Eset\cache\fnd0.nfi > Contains detection pattern of the program SPR/Hacktool.215407 > > ALERT: > C:\Program Files\Eset\cache\fnd2.nfi > Is the Trojan horse TR/Gendal.8624.CV > > ALERT: > C:\Program Files\Eset\cache\fnd3.nfi > Contains detection pattern of the program SPR/Tool.Agent > > ALERT: > C:\Program Files\Eset\infected\mkenznda.nqf > Contains detection pattern of the program APPL/Tool.wpakill.AK > > ALERT: > C:\Program Files\something :-# > Is the Trojan horse TR/Crypt.XPACK.Gen2 This one bothers me. The others (maybe FPs or PUPs) maybe you could ask Eset about. > I searched for info on those but it is sketchy and primarily > comes from fear-instilling miracle virus remover software sites. > > I downloaded a couple of rootkit removers mentioned in the > Spybot Search & Destroy forums, etc. but I don't want to even > try them since it would necessitate booting from that drive - > unless I use the uninfected drive 2 to boot from. Some other > posters assure me there is NO WAY /any/ virus can spread from a > non-booting drive to the booting drive. That's not true, a virus can spread to anywhere that you store "programs". Other kinds of malware can exist as data (exploit code for instance). Be careful not to confuse "virus" with "malware" as there are significant differences in the way that they act. Many people insist that all viruses are malware, but there is still plenty of room for debate on that issue. "Malware" is the intended umbrella term for all MALicious softWARE, while "virus" refers to certain programmed functions that is most often associated with certain malware (self-replication and self-distribution). [...] >> A "Virtual Drive" may have been set up in RAM to act as an >> attached storage device. It would not be persistent across >> reboots. > > That's what I found out... > > I feel sufficiently reassured that if I boot from my clean drive > 2, I will be able to transfer stuff and backup to CDR, and once > I have all th stuff I need, I will wipe the infected drive in or > another manner. This is the plan for today - boot from the clean > drive with the uninfected drive 1 disconnected, just to make > SURE it is NOT a hardware problem - as SO MANY have insisted, > and then connect the infected drive, wipe/restore/delete the > problem areas as described above (just in case), and start the > data salvage operation. > > I appreciate your help very much, you have been most patient. You're welcome, and good luck.
From: thanatoid on 1 Aug 2010 22:59
"FromTheRafters" <erratic(a)nomail.afraid.org> wrote in news:i34hlr$l7$1(a)news.eternal-september.org: <SNIP> > Yes, Avira's naming convention ( > http://www.avira.ro/en/virus_information/malware_naming_conv > entions.html > ) only partially does this, and Gendal should be prefixed > with TR It is... I just didn't copy those 2 letters. Sorry. > (maybe they name some things with the assumption that the > reader will already know the environment it exists in). Optimists! > I was thinking more along the lines of ( > http://www.microsoft.com/security/portal/Shared/MalwareNamin > g.aspx ) I'll check it after all this is over... <SNIP> >> :-D Not a bad idea! Introduce ANOTHER, almost equally >> nonsensical term! > > The slithy toves...all filed away in their respective > holes. Excellent. Holes and toves - with /slithy/ toves being sys or hidden toves! %-D Think there's any chance of it catching on? The 'folders' thing has REALLY bugged me for - what is it, 15 years?... "Drawers" at least would make some sense (file cabinet which does not HAVE to hold "folders" - a small animal could live in one as well as various objects of reasonable dimensions) AND provide endless opportunities for innocent underwear jokes! <SNIP> > I understand. BTW, that all wouldn't have been possible > without the aforementioned compression technology. If he > hadn't created the iPod, some other visionary surely would > have. He is not responsible for what society does with the > technology. Well, that's undeniable, but it seems to be the pattern of us humanoids to point the accusing finger at the specific party who actually DID it. > [...] > >> Ahh... The console... Well, I can do basics in DOS >> (although I prefer to do them with XTreeGold) but the >> Linux console is something I hope to be able to avoid... >> I'm almost 55... And my head is not as functional as it >> used to be... > > You're my age, but I've been computering since '72. Reading > the "man pages" can be a challenge. Type "man" at the > prompt, it's kinda like typing "help" at the command prompt > in dos. It mostly all in there, and written by many > different people some of which have learned English as a > second or third language. Typing "man su" should (IIRC) > bring up a page describing how to use the 'su' command. Brrr... Maybe later... <SNIP> >> checking MBR of drive 128 >> checking MBR of drive 129 >> error [2]: cannot read record > > I don't know what is happening to cause this. If 128 is the entire infected drive and the MBR /was/ read and is OK, and 129 is the *CD drive itself*, then it's OK. If - as I originally understood it - 128 is the primary partition, and 129 the extended partition, then there may be a problem with the "logical drives MBR" although I /thought/ they were the same thing, just different parts of it. >> auto excluding /sys/ from scan (is special fs) >> auto excluding /proc from scan (is special fs) > > Linux chooses other objects than only directories to > display 'as if' they were directories, for instance the > /proc (folder) is the process list (scheduler) not a 'hole' > for storing files. :o) OK, that makes me feel a little better. >> C:\Program Files\something :-# >> Is the Trojan horse TR/Crypt.XPACK.Gen2 > > This one bothers me. The others (maybe FPs or PUPs) maybe > you could ask Eset about. IME, Eset only answer emails before you buy the product. Oh well. I didn't put in the name of the program because /head hangs in shame/ it is a program with a stolen serial, which I have used EXTREMELY infrequently, and therefore did not buy - like I HAVE done with most programs I "tried" and found I was actually *using*. I paid (through the nose) for ESET even though I have the url of a Russian site which posts daily def. updates. Etc. *AND* I paid a fair chunk for several free (not even donation- ware) programs - like XNews. [Weasely attempts to convince you I am not ALL bad...] The Trojan horse itself is "just another Trojan horse" I think... Sorry if that confused you. I should have put "[hole name withheld to protect the guilty]". <SNIP> >> Some other posters assure me there is NO WAY /any/ virus >> can spread from a non-booting drive to the booting drive. > > That's not true, a virus can spread to anywhere that you > store "programs". Other kinds of malware can exist as data > (exploit code for instance). Even if the program is not run? I have been talking about zapping the bootsector and deleting everything in root of C, but I can actually delete the entire C drive - all the /data/ is on other partitions. In fact, since Toggle Icons is an old 13KB exe which I am /sure/ was freeware (I can't find it on the web, I got it from a geocities page years ago), and the other program was only /serialed/ illegally, and they have BOTH - although used VERY infrequently - been scanned dozens of times in the past, I believe the virus infected two random executables on the C drive. And did or did not do something with the MBR. I have not run either of the two infected programs during the online session when the infection happened (OR since) - I have NO idea how the bat file I saw running got into my system, but I believe that's where it all started. Unless it is all unrelated and Avira is false-alerting or found a few dormant viruses/equines. Sigh. > Be careful not to confuse "virus" with "malware" as there > are significant differences in the way that they act. Many > people insist that all viruses are malware, but there is > still plenty of room for debate on that issue. "Malware" is > the intended umbrella term for all MALicious softWARE, > while "virus" refers to certain programmed functions that > is most often associated with certain malware > (self-replication and self-distribution). Right. <SNIP> >> I appreciate your help very much, you have been most >> patient. > > You're welcome, and good luck. Thanks again. I will post the final outcome FYI, whether it is "back to TV", "everything's fine", or "building a new computer" - or something else. |