Do I have a virus?

  • Thread starter Thread starter Øyvind Granberg
  • Start date Start date
"1PW" wrote in message
news:gfd5h8$ruj$1@registered.motzarella.org...
>
> Hi Dave:
>
> I'll just paraphrase here: "I don't agree with what you said, but I will
> defend to the death your right to say it..."
>
> Pete
>
> --
> 1PW
>
> @?6A62?FEH9:DE=6o2@=]4@> [r4o7t]

--

Thank you, Pete!
smile.gif
))
 
"FromTheRafters" wrote in message
news:ONaHNtGRJHA.588@TK2MSFTNGP06.phx.gbl...
>
> "~BD~" wrote in message
> news:erwON2ERJHA.420@TK2MSFTNGP03.phx.gbl...
>>
>> "FromTheRafters" wrote in message
>> news:eD6oUjERJHA.1164@TK2MSFTNGP03.phx.gbl...
>>>
>>
>>
>>
>>>> However, 1PW disagrees with you FTR. He (?) said::-
>>>>
>>>> "All good computer technicians will tell you:
>>>>
>>>> During a proper "level and rebuild" operation, absolute strict
>>>> adherence
>>>> to best industry practices and due diligence would have erased and
>>>> protected the system from any malware proliferation.
>>>>
>>>> Under the same rules as above, restoring the system from known good
>>>> media will render a clean, malware free system. Guaranteed, and
>>>> without
>>>> further qualification".
>>>>
>>>> I'm no guru, but I think he's wrong (sorry Pete!)
>>
>>
>>>
>>> He is not incorrect.
>>
>> Have you time to explain, FTR?
>>
>> Maybe I mis-understood.
>>
>> I thought we had established that ........ um ....... 'code' *could*
>> remain (somewhere) within a machine (even if a shiny brand new hard disk
>> was installed) - albeit inactive -
>
> So far so good, but here's where you might have misunderstood.
>
>> *until*. just possibly, it could join forces with additional elements
>> captured from the Internet.
>
> Any foreign code residing in EEPROM would still run during boot.
> Any code that belonged there but had been relocated to disk by the
> infecting malware, wouldn't (obviously). You end up with corruption
> in EEPROM but no malware.
>
> If there is malware ITW actively flashing EEPROM then a *proper*
> [whatever he said] with *strict adherence* to [what he said] would
> have to include reflashing EEPROMs with the proper code.
>
> It seems he chose his words carefully.
>
> He also didn't suggest bringing back any programs from outside of
> the "known good media". At that point it is as free of malware as it
> was when new. His statement is correct.
>

Thank you for explaining in more detail, FTR.
smile.gif
)

I've subsequently spent much time today 'Googling' - and learning new
things!

Now I'm wondering if there is some way that I could read the 'instructions'
stored in the EEPROM - BIOS chip in my previous vocabulary (!). Perhaps you
will advise if this is possible and, if so, just how I may do so.

I really do appreciate you helping me to understand these matters. Thanks
again.

Dave

--
 
"1PW" wrote in message
news:gfdjnn$9nc$1@registered.motzarella.org...
> On 11/11/2008 06:06 PM, FromTheRafters sent:
>
> Snip, snip...

>> [whatever he said] with *strict adherence* to [what he said] would
>> have to include reflashing EEPROMs with the proper code.
>
> ...and of course reflashing would render new/good checksums for both
> BIOS and CMOS, *individually*. Malware that /had/ flashed an EEPROM,
> would have had to account for the current configuration and many custom
> values, only usable then and there. The amount of code to support such
> activities, even if written in assembler, would make the size of the
> malware much greater and much more noticeable.


Might not the required malicious code be introduced to a machine via a
'set-up' CD (or even a floppy disk) which has been 'doctored' shall I say?
Or maybe a programme deliberately and conciously downloaded and installed by
the user, albeit unwittingly?


> Malware only has a few places to hide. Careful cleaning of all those
> places will make the problem cease to exist. In everyday practice,
> most malware just lives on one's hard disk drive.


I note your precision, Pete - and I unreservedly apologise for my doubts.
I'm sorry and trust you will forgive me.

I have been trying to remember if I have ever seen folk visiting 'help'
forums being given 'advice' on cleaning data which is *not* on their hard
disks.

I must have seen reference to clearing the CMOS because I can remember
carrying out the instructions set out here (or similar!)
http://forum.msi.com.tw/index.php?PHPSESSI...adid=31222&sid=

It is quite some time since I've done so - I ended up scraping my previous
machine because I was convinced that a 'gremlin' remained within it!


>> It seems he chose his words carefully.


Indeed it seems so! Now I feel somewhat foolish.
sad.gif




>> He also didn't suggest bringing back any programs from outside of
>> the "known good media". At that point it is as free of malware as it
>> was when new. His statement is correct.


I accept that Pete's statement is correct.

I confess, though, that I am not sure what was/is meant by "bringing back
any programs from outside of the known good media". Further advice would be
appreciated.


> With every keystroke, I was besieged by multitudes of attorneys... :-)
>
> Comedy aside, I'm sure you'd agree that if a flawless procedure isn't
> adhered to, an exercise in futility might result.


From what you have said (and reading between the lines for me!) all the work
carried out to 'clean' a hard disk *could* be rendered useless if action is
not taken to flash the EEPROM as well.

A question though. If a machine is infected in this way, is it not possible
that in trying to use same to obtain replacement BIOS information,
redirection to a 'spoof' site might occur? Would you recommend obtaining the
up-to-date BIOS details from a known clean machine? (i.e. not use the
infected machine at all).


> Now - how do we tell the world?


I'm not sure if you meant this as a serious question but, as a start, it
could be mentioned by all the 'resident' advisers here on the Microsoft
security newsgroups (folk like Robear Dyer, David H Lipman, Malke and Frank
Saunders - to name a few) at the time when they recommend folk visit the
'expert' forums.


> @?6A62?FEH9:DE=6o2@=]4@> [r4o7t]


My expertise in code-breaking has lapsed somewhat, Pete. Will you share with
me the significance of your signature block?
wink.gif



Bless you

Dave

--
 
On 11/12/2008 03:19 PM, ~BD~ sent:
> "1PW" wrote in message
> news:gfdjnn$9nc$1@registered.motzarella.org...
>> On 11/11/2008 06:06 PM, FromTheRafters sent:
>>
>> Snip, snip...
>
>>> [whatever he said] with *strict adherence* to [what he said] would
>>> have to include reflashing EEPROMs with the proper code.
>> ...and of course reflashing would render new/good checksums for both
>> BIOS and CMOS, *individually*. Malware that /had/ flashed an EEPROM,
>> would have had to account for the current configuration and many custom
>> values, only usable then and there. The amount of code to support such
>> activities, even if written in assembler, would make the size of the
>> malware much greater and much more noticeable.
>
>
> Might not the required malicious code be introduced to a machine via a
> 'set-up' CD (or even a floppy disk) which has been 'doctored' shall I say?
> Or maybe a program deliberately and consciously downloaded and installed by
> the user, albeit unwittingly?
>
Unreservedly, yes. Healthy skepticism is your best friend at this
point. A good technician would have vetted their own tools before using
them on a client's system.
>
>> Malware only has a few places to hide. Careful cleaning of all those
>> places will make the problem cease to exist. In everyday practice,
>> most malware just lives on one's hard disk drive.
>
>
> I note your precision, Pete - and I unreservedly apologize for my doubts.
> I'm sorry and trust you will forgive me.

Healthy doubts are your best ally. No apology is required at all.
>
> I have been trying to remember if I have ever seen folk visiting 'help'
> forums being given 'advice' on cleaning data which is *not* on their hard
> disks.
>
> I must have seen reference to clearing the CMOS because I can remember
> carrying out the instructions set out here (or similar!)
> http://forum.msi.com.tw/index.php?PHPSESSI...adid=31222&sid=
>
> It is quite some time since I've done so - I ended up scraping my previous
> machine because I was convinced that a 'gremlin' remained within it!
>
>
>>> It seems he chose his words carefully.
>
>
> Indeed it seems so! Now I feel somewhat foolish.
sad.gif

>
Now, replace that feeling with the knowledge that you've gained. FTR,
David H. Lipman, Malke and others are a wonderful source of knowledge
and experience.
>
>>> He also didn't suggest bringing back any programs from outside of
>>> the "known good media". At that point it is as free of malware as it
>>> was when new. His statement is correct.
>
>
> I accept that Pete's statement is correct.
>
> I confess, though, that I am not sure what was/is meant by "bringing back
> any programs from outside of the known good media". Further advice would be
> appreciated.
>
The statement is slightly inaccurate. Anything brought back to the
subject PC must be done /through/ known good media. All reasonable
steps must be taken to vet the process. MD5 checksums are certainly one
of them. Re-installing from the provider's media is another. "Here
there be dragons!"
>
>> With every keystroke, I was besieged by multitudes of attorneys... :-)
>>
>> Comedy aside, I'm sure you'd agree that if a flawless procedure isn't
>> adhered to, an exercise in futility might result.
>
>
> From what you have said (and reading between the lines for me!) all the work
> carried out to 'clean' a hard disk *could* be rendered useless if action is
> not taken to flash the EEPROM as well.

Perhaps this step can be bypassed if an investigation shows that the
infection(s) was/were limited to the hard disk drive(s).

Your point is not lost on me. However, the bad guy must have written
effective code and that code needs to accomplishes many clever things.

This would need to be done with practical knowledge of /that/
system's architecture and BIOS and/or CMOS. Very challenging indeed.

> A question though. If a machine is infected in this way, is it not possible
> that in trying to use same to obtain replacement BIOS information,
> redirection to a 'spoof' site might occur? Would you recommend obtaining the
> up-to-date BIOS details from a known clean machine? (i.e. not use the
> infected machine at all).
>
The manufacturer's site is probably the best source. The extra benefit
might be an updated BIOS.
>
>> Now - how do we tell the world?
>
>
> I'm not sure if you meant this as a serious question but, as a start, it
> could be mentioned by all the 'resident' advisers here on the Microsoft
> security newsgroups (folk like Robear Dyer, David H Lipman, Malke and Frank
> Saunders - to name a few) at the time when they recommend folk visit the
> 'expert' forums.

They hide their candles. Amongst our peers they *are* our experts.

>
Now that you are one of the experts, you may contribute from a point of
experience and authority.
>
>> @?6A62?FEH9:DE=6o2@=]4@> [r4o7t]
>
>
> My expertise in code-breaking has lapsed somewhat, Pete. Will you share with
> me the significance of your signature block?
wink.gif

>
The "From" address is ROT13 encoded and the one a few lines above is a
ROT47 encode. Both are meant to increase the degree of difficulty for
harvesters and are an email address I use to divert scams and phishing
messages to. However, I do check it frequently for content.
>
> Bless you
>
> Dave
>

Peace be with you Dave.

--
1PW

@?6A62?FEH9:DE=6o2@=]4@> [r4o7t]
 
"1PW" wrote in message
news:gfdjnn$9nc$1@registered.motzarella.org...
> On 11/11/2008 06:06 PM, FromTheRafters sent:
>
> Snip, snip...
>
>>> Maybe I mis-understood.
>>>
>>> I thought we had established that ........ um ....... 'code' *could*
>>> remain (somewhere) within a machine (even if a shiny brand new hard disk
>>> was installed) - albeit inactive -
>>
>> So far so good, but here's where you might have misunderstood.
>>
>>> *until*. just possibly, it could join forces with additional elements
>>> captured from the Internet.
>>
>> Any foreign code residing in EEPROM would still run during boot.
>> Any code that belonged there but had been relocated to disk by the
>> infecting malware, wouldn't (obviously). You end up with corruption
>> in EEPROM but no malware.
>>
>> If there is malware ITW actively flashing EEPROM then a *proper*
>> [whatever he said] with *strict adherence* to [what he said] would
>> have to include reflashing EEPROMs with the proper code.
>
> ...and of course reflashing would render new/good checksums for both
> BIOS and CMOS, *individually*. Malware that /had/ flashed an EEPROM,
> would have had to account for the current configuration and many custom
> values, only usable then and there. The amount of code to support such
> activities, even if written in assembler, would make the size of the
> malware much greater and much more noticeable.

Yeah, chances are if such a method were used it would be for a very
specific target.

> Malware only has a few places to hide. Careful cleaning of all those
> places will make the problem cease to exist. In everyday practice,
> most malware just lives on one's hard disk drive.

....but because it is only *most* and not *all*, TPM becomes necessary.

>> It seems he chose his words carefully.
>
>> He also didn't suggest bringing back any programs from outside of
>> the "known good media". At that point it is as free of malware as it
>> was when new. His statement is correct.
>
> With every keystroke, I was besieged by multitudes of attorneys... :-)

ohmy.gif
D

> Comedy aside, I'm sure you'd agree that if a flawless procedure isn't
> adhered to, an exercise in futility might result. Now - how do we tell
> the world?

Anything worth doing, is worth doing right.
(I didn't say that - someone else did, maybe it was that Greek fella ~
Anonymous)

> Peace be with you always FTR.

Thanks, and with you as well.
 
> I confess, though, that I am not sure what was/is meant by "bringing back
> any programs from outside of the known good media". Further advice would
> be appreciated.

He basically stipulated that the rebuild part was done without malware.
He defined what wasn't being put back on (malware) by stating that
what *was* being put back on was indeed clean (known good).

Your favorite gizmos, gadgets, widgets, and gewgaws probably are
not on the known good installation media. You want them back, so
you get them from your backups -- it's "here be dragons" time.

[snip]

> From what you have said (and reading between the lines for me!) all the
> work carried out to 'clean' a hard disk *could* be rendered useless if
> action is not taken to flash the EEPROM as well.

No, not useless - just incomplete. Would you be satisfied if the procedure
only disabled the malware? Or if it only removed some of it? How about
if it completely removes it but does nothing to correct whatever corruption
the malware caused? To me, I would want a flatten and rebuild to get me
back to a normal state - no ifs ands or buts. Most people have just been
ignoring the off disk code being loaded during boot because it has always
been assumed there is not enough room for any meaningful code to hide
there. Now the 'room' is expanding and it appears the meaningful code
can be made smaller - or rather the scope of 'meaningful' has shrunk.

> A question though. If a machine is infected in this way, is it not
> possible that in trying to use same to obtain replacement BIOS
> information, redirection to a 'spoof' site might occur?

The affected machine shouldn't be on a network of any kind.

> Would you recommend obtaining the up-to-date BIOS details from a known
> clean machine? (i.e. not use the infected machine at all).

Contact the manufacturer(s) of the motherboard (or otherboards) to
get the firmware reflashed with the correct code.

Is this guaranteed 100% malware free you ask??

Interesting point - if it never happened, they wouldn't need to do this:

http://mac.softpedia.com/progClean/iMac-AT...lean-32894.html

>> Now - how do we tell the world?

Whisper it in the streets...if you shout it from the rooftops they'll put
you in the loony-bin.
Ó¿Ò

(My apology in advance to anyone with a loony second ex-great
stepuncle-in-law twice removed who gets offended by my statement)

[snip]
 
[snippers gone wild]

"On 11/12/2008 03:19 PM, ~BD~ sent:

>> From what you have said (and reading between the lines for me!) all the
>> work
>> carried out to 'clean' a hard disk *could* be rendered useless if action
>> is
>> not taken to flash the EEPROM as well.

"1PW" wrote

> Perhaps this step can be bypassed if an investigation shows that the
> infection(s) was/were limited to the hard disk drive(s).

Yes, but this is where flatten and rebuild *instead* of using malware
detection and removal tools - fails.

Hypothetical situation.

1) I've got 'I don't know what' malware on my system.
2) I'm told 'flatten and rebuild' is the expedient and only 100% sure way.
3) Been there - done that - but now when I boot it freezes with a very
colorful ribbon pattern on the screen just after POST.
 
From: "FromTheRafters"

Please stop engaging this troll. You are only filling his head with ideas he does NOT
understand.

He has already replied to a DNSChanger trojan post with...
"My subsequent discussions now lead me to believe that one needs to clear the
CMOS and probably flash the BIOS too if one wants to be sure of a clean
machine."

Pure FUD.



--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 
"~BD~" wrote in message
news:OchsASRRJHA.4992@TK2MSFTNGP05.phx.gbl...

> Thank you for explaining in more detail, FTR.
smile.gif
)

You're welcome.

> I've subsequently spent much time today 'Googling' - and learning new
> things!
>
> Now I'm wondering if there is some way that I could read the
> 'instructions' stored in the EEPROM - BIOS chip in my previous vocabulary
> (!). Perhaps you will advise if this is possible and, if so, just how I
> may do so.

It is possible - I don't know exactly how. But just like the MBR,
it is far easier to just overwrite it than it is to inspect it to determine
if it is authentic.
 
"David H. Lipman" wrote in message
news:ekOJ5zdRJHA.4524@TK2MSFTNGP06.phx.gbl...
> From: "FromTheRafters"
>
> Please stop engaging this troll. You are only filling his head with ideas
> he does NOT
> understand.
>
> He has already replied to a DNSChanger trojan post with...
> "My subsequent discussions now lead me to believe that one needs to clear
> the
> CMOS and probably flash the BIOS too if one wants to be sure of a clean
> machine."
>
> Pure FUD.

Sorry, I guess it *is* a little like handing a kid a loaded gun.
 
OK, this thread has been going for a while so I guess the big question is
"Is there a definitive procedure(s) for getting rid of malware? I guess the
answer is no!

Bill Ridgeway
 
"Bill Ridgeway" wrote in message
news:OxbI$ceRJHA.588@TK2MSFTNGP06.phx.gbl...
> OK, this thread has been going for a while so I guess the big question is
> "Is there a definitive procedure(s) for getting rid of malware? I guess
> the answer is no!

Sure, use the tools available to identify the culprit, follow the manual
removal instructions for the identified malware.

For those items where there is no identification or removal instructions,
use the methods (or similar) outlined in the video:

Advanced Malware Removal
-Mark Russinovich
http://www.microsoft.com/emea/spotlight/
Down near the bottom.
 
"FromTheRafters" wrote in message
news:OQHcRafRJHA.444@TK2MSFTNGP05.phx.gbl...
> "Bill Ridgeway" wrote in message
> news:OxbI$ceRJHA.588@TK2MSFTNGP06.phx.gbl...
>> OK, this thread has been going for a while so I guess the big question is
>> "Is there a definitive procedure(s) for getting rid of malware? I guess
>> the answer is no!
>
> Sure, use the tools available to identify the culprit, follow the manual
> removal instructions for the identified malware.
>
> For those items where there is no identification or removal instructions,
> use the methods (or similar) outlined in the video:
>
> Advanced Malware Removal
> -Mark Russinovich
> http://www.microsoft.com/emea/spotlight/
> Down near the bottom.
>
>
>

I'd love to be able to watch the video, especially as it features Mark
Russinovich (with whom I worked directly, by email, trying to identify a
rootkit on my previous machine. It was over two years ago, before he joined
Microsoft).

However, I'm told "Microsoft Silverlight is not supported on your computer.
Your CPU does not support the SSE instruction set which is required by
Silverlight"

1.20 gigahertz AMD Athlon
128 kilobyte primary memory cache
256 kilobyte secondary memory cache

Am I alone in this regard? Will someone please explain? Is there an
alternative way to view? In anticipation ....... Thank you!

Dave

--
 
"FromTheRafters" wrote in message
news:eZ8tPydRJHA.1164@TK2MSFTNGP03.phx.gbl...
> [snippers gone wild]
>
> "On 11/12/2008 03:19 PM, ~BD~ sent:
>
>>> From what you have said (and reading between the lines for me!) all the
>>> work
>>> carried out to 'clean' a hard disk *could* be rendered useless if action
>>> is
>>> not taken to flash the EEPROM as well.
>
> "1PW" wrote
>
>> Perhaps this step can be bypassed if an investigation shows that the
>> infection(s) was/were limited to the hard disk drive(s).
>
> Yes, but this is where flatten and rebuild *instead* of using malware
> detection and removal tools - fails.
>
> Hypothetical situation.
>
> 1) I've got 'I don't know what' malware on my system.
> 2) I'm told 'flatten and rebuild' is the expedient and only 100% sure way.

> 3) .......... but now when I boot it freezes with a very
> colorful ribbon pattern on the screen just after POST.
>
>

I've no recollection of ever experiencing 3) FTR!

Perhaps that's something to which I may look forward?
wink.gif


Dave

--
 
>> Advanced Malware Removal
>> -Mark Russinovich
>> http://www.microsoft.com/emea/spotlight/
>> Down near the bottom.

> I'd love to be able to watch the video, especially as it features Mark
> Russinovich (with whom I worked directly, by email, trying to identify a
> rootkit on my previous machine. It was over two years ago, before he
> joined Microsoft).
>
> However, I'm told "Microsoft Silverlight is not supported on your
> computer. Your CPU does not support the SSE instruction set which is
> required by Silverlight"
>
> 1.20 gigahertz AMD Athlon
> 128 kilobyte primary memory cache
> 256 kilobyte secondary memory cache
>
> Am I alone in this regard? Will someone please explain? Is there an
> alternative way to view? In anticipation ....... Thank you!

I looked around the first time you asked, didn't find anything except
the PowerPoint presentation slides he used in the video.
ohmy.gif
(

It's like a wish sandwich - bread but no meat - without the speaker.

Go to another computer, like in a public library (if you're not banned)
ohmy.gif
D
....and view it there. It is not a short video, so be prepared.
 
"FromTheRafters" wrote in message
news:OO0hdBqRJHA.1164@TK2MSFTNGP03.phx.gbl...
>>> Advanced Malware Removal
>>> -Mark Russinovich
>>> http://www.microsoft.com/emea/spotlight/
>>> Down near the bottom.
>
>> I'd love to be able to watch the video, especially as it features Mark
>> Russinovich (with whom I worked directly, by email, trying to identify a
>> rootkit on my previous machine. It was over two years ago, before he
>> joined Microsoft).
>>
>> However, I'm told "Microsoft Silverlight is not supported on your
>> computer. Your CPU does not support the SSE instruction set which is
>> required by Silverlight"
>>
>> 1.20 gigahertz AMD Athlon
>> 128 kilobyte primary memory cache
>> 256 kilobyte secondary memory cache
>>
>> Am I alone in this regard? Will someone please explain? Is there an
>> alternative way to view? In anticipation ....... Thank you!
>
> I looked around the first time you asked, didn't find anything except
> the PowerPoint presentation slides he used in the video.
ohmy.gif
(
>
> It's like a wish sandwich - bread but no meat - without the speaker.


I very much appreciate that, FTR - thank you!


> Go to another computer, like in a public library (if you're not banned)
>
ohmy.gif
D
> ...and view it there. It is not a short video, so be prepared.


Good idea. Another thank you!

I did spend some time looking for and reading about 'the SSE instruction
set'. My conclusion was that it's high time I invested in a new machine.
wink.gif


Dave

--
 
Hello David,

I'm having my speech synthesizer read out this entire thread, and thought
you might like to know that I have chosen a "helium" voice for ~BD~ :-)

....just kidding !

regards, Richard
 
"Øyvind Granberg" wrote:

> Hi...
>
> There is a virus in my computer. I am convinced about that.
> I cannot download anything concerning updates to Ad-Aware or Spybot.
> I cannot download anything at all from Microsoft.com like the Outlook
> Connector or anything else I've tried.
> Neither can I download the afore mentioned files from these sites with FF3,
> Google Chrome or Opera 9.26.
>
> When browsing using IE8, I get a message stating that a pop up has been
> prenvented. Even on my own web pages where there is no pop up at all.
>
> Something is preventing me from downloading anything that I can use to
> remove it!?!?!
>
> I need help...
> Running Windows Vista Ultimate with all updates.
> AVG 8 Free
> Windows Defender
> Spybot once a week
> UAC disabled
> Firewall disabled
>
>
> Tried Bitdefender's online scanner and even that couldn't update it
> definition file.
> I have scanned thouroughly twice with AVG 8
> So too with Spybot and Windows defender.
>
> What is wrong, and how can I get rid of it?
>
> --
>
> Vennlig hilsen
> yvind Granberg
>
> tresfjording@live.no
> www.tresfjording.com
>
 
You must log in or register to reply here.
Back
Top