Windows XP Virus

[Jose]

On Mar 10, 10:05 am, Eric wrote:

> We've encountered a virus on one of our windows xp professional machines. It

> locks the computer up at random intervals.  We've cleaned the computer using

> multiple different anti-viruses which fixes the problem for a time, however

> the virus always comes back within a day.  We've used anti-rootkits andfound

> nothing as well.  

>

> It also seems to only lock the computer up if it is connected with the

> ethernet cable.  

>

> Any suggestions would be greatly appreciated.  



You did not say what scanners you re using or what seems to be found

with what you are using.



A lockup may not be caused by malicious software. Malicious software

would rather just be annoying in different ways. If you still have

the problem after running these scans, keep reading and you will be

able to figure it out.



Perform some scans for malicious software, then fix any remaining

issues:



Download, install, update and do a full scan with these free malware

detection programs:



Malwarebytes (MBAM): http://malwarebytes.org/

SUPERAntiSpyware: (SAS): http://www.superantispyware.com/



They can be uninstalled later if desired.



To eliminate questions and guessing, please provide additional

information about your system.



Click Start, Run and in the box enter:



msinfo32



Click OK, and when the System Summary info appears, click Edit, Select

All, Copy and then paste the information back here.



There will be some personal information (like System Name and User

Name), and whatever appears to be private information to you, just

delete it from the pasted information.



Generate a crash dump on a system that is hanging (when it is broken),

then analyze the crash dump



If your system stops responding, hangs or freezes and you can't figure

out why, you can force a BSOD which will create a crash dump file that

you can analyze and see what is running at the point of the freeze and

get some ideas that do not involve guesswork.



While it may seem odd to think about purposefully causing a Blue

Screen Of Death (BSOD), Microsoft includes such a provision in Windows

XP. The feature is built in to XP specifically to diagnose the problem

when a system stops responding and there is no trail in any of the

Event Logs, etc. about what might have happened.



Here's how to force your system to create a BSOD:



Before making registry changes, backup your registry with this popular

free and easy to use tool:



http://www.larshederer.homepage.t-online.de/erunt/



For PS/2 keyboards, launch the Registry Editor (Regedit.exe) and

navigate to:



HKLM\System\CurrentControlSet\Services\i8042prt\Parameters



For USB keyboards (this USB requirement is a rumor to me so far):



HKLM\System\CurrentControlSet\Services\kbdhid\Parameters



Click Edit, select New DWORD Value and name the new value

CrashOnCtrlScroll.



Double-click the CrashOnCtrlScroll DWORD Value, type 1 in the Value

Data text box, and click OK.



Close the Registry Editor and restart Windows XP.



When you want to cause a BSOD (when your system has stopped

responding), press and hold down the [Ctrl] key on the right side of

your keyboard, and then tap the [ScrollLock] key twice. Now you should

see the BSOD and you will have a crash dump file to analyze.



If your system reboots instead of displaying the BSOD, you'll have to

disable the Automatically Restart setting in the System Properties

dialog box. To do so, follow these steps:



Press [Windows]-Break.

Select the Advanced tab.

Click the Settings button in the Startup And Recovery panel.

Clear the Automatically Restart check box in the System Failure

panel.

Click OK twice.



You can read about the feature here:



http://msdn.microsoft.com/en-us/library/cc266483.aspx



Now when your system locks up, force a BSOD and analyze the crash dump

for clues. You can usually narrow it down with certainty in literally

just a few minutes once you are set up to analyze the dump files. It

takes longer to get setup to analyze than it does to analyze!. If you

don't want to learn how to do that, some helpful person will be happy

to analyze your crash dump for you.



There is no harm in leaving the feature enabled - you can leave it

enabled all the time with no performance hit, but if you are compelled

to remove it:



Launch the Registry Editor (Regedit.exe) and navigate to:



HKLM\System\CurrentControlSet\Services\i8042prt\Parameters



Select the CrashOnCtrlScroll value, click the Edit menu, and select

the Delete command.



Close the Registry Editor and restart Windows XP.

 

[yb22okj]

"Jose" wrote in message

news:d9c5fcd7-65d7-4805-a545-b05938fc91ca@t20g2000yqe.googlegroups.com...

On Mar 10, 4:53 pm, EN59CVH wrote:



My systems do not act funny and if I ever see one that is acting

funny, it won't be for long.



Well in that case you don't need to do anything except to sit tight and

continue browsing the web.



hth

 

[yb22okj]

"MowGreen" wrote in message

news:e6FDcNKwKHA.5956@TK2MSFTNGP05.phx.gbl...



> *** Malware in System Restore can *NOT* infect a clean OS and is *not*

> active unless a restore point that includes it is used ***

> Period !!!

>



And with your small brain and correlated small penis, how do you know which

restore point includes the malware so the OP doesn't use?



You really need to brush up on what a restore point holds and what it does

when it is restored. What it doesn't do is to destroy any malwares,

spywares or a viruses; These files are left intact on the system.

 

[glee]

"yb22okj" wrote in message

news:OXPzj0LwKHA.5036@TK2MSFTNGP02.phx.gbl...

>

> "MowGreen" wrote in message

> news:e6FDcNKwKHA.5956@TK2MSFTNGP05.phx.gbl...

>

>> *** Malware in System Restore can *NOT* infect a clean OS and is

>> *not* active unless a restore point that includes it is used ***

>> Period !!!

>>

>

> And with your small brain and correlated small penis, how do you know

> which restore point includes the malware so the OP doesn't use?

>

> You really need to brush up on what a restore point holds and what it

> does when it is restored. What it doesn't do is to destroy any

> malwares, spywares or a viruses; These files are left intact on the

> system.



My goodness, with a brain so big you can't zip your trousers, one would

think you could muster up a little reading comprehension! Try your best

to re-read what Mow wrote...I'm sure you will get it eventually!



If malware is found in a restore point, it cannot become active on the

system UNLESS a restore point containing the malware is used to restore

the system. Got it so far? If Malware is found in a restore point and

you want to prevent those points from being used, you can delete the

restore points. You can remove all restore points by turning off SR and

then turning it on again. You can alternately make a manual restore

point when you know the system is clean, and then use Disk Cleanup to

remove all but the most recent (clean) restore point.

--

Glen Ventura, MS MVP Oct. 2002 - Sept. 2009

A+

http://dts-l.net/

 

[C]

Ronin wrote:

> You have diagnosed an infection that absolutely, positively came from a

> SR restore point? You're absolutely certain that it didn't come from

> elsewhere? Do you mind sharing the information necessary to repeat the

> issue? I am perfectly able and eager to do so, and I have all the

> necessary equipment (i.e., a spare machine that I use for

> experimentation and a fair amount of experience analyzing system

> behavior.) Perhaps you can at least identify the virus? The more

> specific the better.

>

> Seriously, I can't imagine any way for something to execute itself from

> inside a SR restore point, but if it can be done I want to know all

> about it.

>



It was a long time ago and my recollection is that I zapped a virus with

Avast and it kept coming back until I nuked all the restore points. I'm

sorry I can't be more specific. Had I known you would have asked, I

would have taken notes ;-)



--

C

 

[Ronin]

Darn! Oh well, better luck next time.



--

Ronin



"C" wrote in message

news:hnao5f$c9d$1@speranza.aioe.org...

> Ronin wrote:

>> You have diagnosed an infection that absolutely, positively came from a

>> SR restore point? You're absolutely certain that it didn't come from

>> elsewhere? Do you mind sharing the information necessary to repeat the

>> issue? I am perfectly able and eager to do so, and I have all the

>> necessary equipment (i.e., a spare machine that I use for experimentation

>> and a fair amount of experience analyzing system behavior.) Perhaps you

>> can at least identify the virus? The more specific the better.

>>

>> Seriously, I can't imagine any way for something to execute itself from

>> inside a SR restore point, but if it can be done I want to know all about

>> it.

>>

>

> It was a long time ago and my recollection is that I zapped a virus with

> Avast and it kept coming back until I nuked all the restore points. I'm

> sorry I can't be more specific. Had I known you would have asked, I would

> have taken notes ;-)

>

> --

> C

 

[Ken Blake, MVP]

On Thu, 11 Mar 2010 13:37:04 +0100, C wrote:



> Ronin wrote:

> > You have diagnosed an infection that absolutely, positively came from a

> > SR restore point? You're absolutely certain that it didn't come from

> > elsewhere? Do you mind sharing the information necessary to repeat the

> > issue? I am perfectly able and eager to do so, and I have all the

> > necessary equipment (i.e., a spare machine that I use for

> > experimentation and a fair amount of experience analyzing system

> > behavior.) Perhaps you can at least identify the virus? The more

> > specific the better.

> >

> > Seriously, I can't imagine any way for something to execute itself from

> > inside a SR restore point, but if it can be done I want to know all

> > about it.

> >

>

> It was a long time ago and my recollection is that I zapped a virus with

> Avast and it kept coming back until I nuked all the restore points.





It undoubtedly came back in the sense that Avast continued to report

its presence. However it never really went away because it was still

there in the restore points.



And most important, although Avast continued to report that it was

there, it was completely harmless in the restore points.





> I'm

> sorry I can't be more specific. Had I known you would have asked, I

> would have taken notes ;-)

>

> --

> C



--

Ken Blake, Microsoft MVP (Windows Desktop Experience) since 2003

Please Reply to the Newsgroup

 

[C]

Ken Blake, MVP wrote:

>> It was a long time ago and my recollection is that I zapped a virus with

>> Avast and it kept coming back until I nuked all the restore points.

>

>

> It undoubtedly came back in the sense that Avast continued to report

> its presence. However it never really went away because it was still

> there in the restore points.

>

> And most important, although Avast continued to report that it was

> there, it was completely harmless in the restore points.

>

>

>> I'm

>> sorry I can't be more specific. Had I known you would have asked, I

>> would have taken notes ;-)

>>

>> --

>> C

>



That's not the only place where Avast reported that it was. It kept

putting itself back into Windows/System32. Once I nuked the one in

System 32 and flushed the restore points, no more virus anywhere.



--

C

 

[philo]

MowGreen wrote:

> C wrote:

>> Eric wrote:

>>> We've encountered a virus on one of our windows xp professional

>>> machines. It locks the computer up at random intervals. We've cleaned

>>> the computer using multiple different anti-viruses which fixes the

>>> problem for a time, however the virus always comes back within a day.

>>> We've used anti-rootkits and found nothing as well.

>>> It also seems to only lock the computer up if it is connected with the

>>> ethernet cable.

>>> Any suggestions would be greatly appreciated.

>>

>> Try removing all the system restore points after doing another malware

>> clean up as malware can hang out in there.

>>

>

> Let's end this misconception, misunderstanding, or miscomprehension -

>

> *** Malware in System Restore can *NOT* infect a clean OS and is *not*

> active unless a restore point that includes it is used ***

> Period !!!

>

> MowGreen

> ================

> *-343-* FDNY

> Never Forgotten

> ================

>

> banthecheck.com

> "Security updates should *never* have *non-security content* prechecked





Nope.



About a year ago I repaired a machine that had been compromised.



It had been used for on-line banking and credit card transactions

and two accounts had been hacked.



First thing I did was scan for root kits in all the places one would

expect.



Nothing found.



After giving the machine a thorough scan...

the root kit was found "hiding" in the restore volume!

 

[PA Bear [MS MVP]]

philo wrote:



> About a year ago I repaired a machine that had been compromised.

>

> It had been used for on-line banking and credit card transactions

> and two accounts had been hacked.

>

> First thing I did was scan for root kits in all the places one would

> expect.

>

> Nothing found.

>

> After giving the machine a thorough scan...

> the root kit was found "hiding" in the restore volume!



So what? That "restore volume" wasn't active & posed no threat unless you

or the user selected that particular Restore Point.



As for detecting rootkits:



Backdoor.Tidserv [AKA Win32/Alureon] and MS10-015



Backdoor.Tidserv does a very good job in that sense, especially with the

latest version (TDL3), which uses an advanced rootkit technology to hide its

presence on a system by infecting one of the low-level kernel drivers and

then

covering its tracks. *While the rootkit is active there is no easy way to

detect the infection*, and because it goes so deep into the kernel, most

users

cannot see anything wrong in the system...Even worse, because the infected

driver is critical for system boot-up, Windows will not boot in Safe Mode

either [after having installed MS10-015 on an infected machine]. [*emphasis

mine*]



http://www.symantec.com/connect/blogs/tidserv-and-ms10-015



Tdss rootkit silently owns the net



Tdss rootkit 3rd variant is the last member of Tdss rootkit family that is

quickly spreading around the world. While a number of rootkits are just

developed as a proof of concept, this is not the case. Tdss rootkit is well

known to antivirus companies because of its goal to get total control of the

infected PCs and using them as zombies for its botnet.



During these years it has always shown a team of skilled people behind it,

who

always applied advanced techniques *often able to bypass antirootkit

softwares*.

Actually, this last variant could be easily named as the stealthiest rootkit

in the wild.



This infection is bringing all together the best of MBR rootkit, the best of

Rustock.C and the experience of old Tdss variants. Result is an infection

that

is quickly spreading on the net and it is *undetected by almost every

security

software and 3rd party anti rootkit software*.



....currently [20 Nov-09] *no antirootkit is able to bypass disk filtering

technique* used by Tdss rootkit but, even if it was possible, this rootkit

could not be detected by file size cross check because file size of the

original and infected files are exactly the same. [*emphasis mine*]



http://www.prevx.com/blog/139/Tdss-rootkit-silently-owns-the-net.html

 

[philo]

PA Bear [MS MVP] wrote:

> philo wrote:

>

>> About a year ago I repaired a machine that had been compromised.

>>

>> It had been used for on-line banking and credit card transactions

>> and two accounts had been hacked.

>>

>> First thing I did was scan for root kits in all the places one would

>> expect.

>>

>> Nothing found.

>>

>> After giving the machine a thorough scan...

>> the root kit was found "hiding" in the restore volume!

>

> So what? That "restore volume" wasn't active & posed no threat unless

> you or the user selected that particular Restore Point.

>







You missed the point entirely..



the root kit was able to "phone home"



from within the restore volume.



those Russian chaps are rather clever

 

[PA Bear [MS MVP]]

philo wrote:

>>

>>> About a year ago I repaired a machine that had been compromised.

>>>

>>> It had been used for on-line banking and credit card transactions

>>> and two accounts had been hacked.

>>>

>>> First thing I did was scan for root kits in all the places one would

>>> expect.

>>>

>>> Nothing found.

>>>

>>> After giving the machine a thorough scan...

>>> the root kit was found "hiding" in the restore volume!

>>

>> So what? That "restore volume" wasn't active & posed no threat unless

>> you or the user selected that particular Restore Point.

>

> You missed the point entirely..

>

> the root kit was able to "phone home"

> from within the restore volume.



Sez who?

 

[Daave]

philo wrote:

> PA Bear [MS MVP] wrote:

>> philo wrote:

>>

>>> About a year ago I repaired a machine that had been compromised.

>>>

>>> It had been used for on-line banking and credit card transactions

>>> and two accounts had been hacked.

>>>

>>> First thing I did was scan for root kits in all the places one would

>>> expect.

>>>

>>> Nothing found.

>>>

>>> After giving the machine a thorough scan...

>>> the root kit was found "hiding" in the restore volume!

>>

>> So what? That "restore volume" wasn't active & posed no threat

>> unless you or the user selected that particular Restore Point.

>>

>

>

>

> You missed the point entirely..

>

> the root kit was able to "phone home"

>

> from within the restore volume.

>

> those Russian chaps are rather clever



If the rootkit was phoing home, it was doing so from a location other

than the restore volume. Just because you are unable to detect it

doesn't mean it isn't there!

 

[philo]

Daave wrote:

> philo wrote:

>> PA Bear [MS MVP] wrote:

>>> philo wrote:

>>>

>>>> About a year ago I repaired a machine that had been compromised.

>>>>

>>>> It had been used for on-line banking and credit card transactions

>>>> and two accounts had been hacked.

>>>>

>>>> First thing I did was scan for root kits in all the places one would

>>>> expect.

>>>>

>>>> Nothing found.

>>>>

>>>> After giving the machine a thorough scan...

>>>> the root kit was found "hiding" in the restore volume!

>>> So what? That "restore volume" wasn't active & posed no threat

>>> unless you or the user selected that particular Restore Point.

>>>

>>

>>

>> You missed the point entirely..

>>

>> the root kit was able to "phone home"

>>

>> from within the restore volume.

>>

>> those Russian chaps are rather clever

>

> If the rootkit was phoing home, it was doing so from a location other

> than the restore volume. Just because you are unable to detect it

> doesn't mean it isn't there!

>

>





I'll answer the both of you here:



Wrong

 

[Daave]

philo wrote:

> Daave wrote:

>> philo wrote:

>>> PA Bear [MS MVP] wrote:

>>>> philo wrote:

>>>>

>>>>> About a year ago I repaired a machine that had been compromised.

>>>>>

>>>>> It had been used for on-line banking and credit card transactions

>>>>> and two accounts had been hacked.

>>>>>

>>>>> First thing I did was scan for root kits in all the places one

>>>>> would expect.

>>>>>

>>>>> Nothing found.

>>>>>

>>>>> After giving the machine a thorough scan...

>>>>> the root kit was found "hiding" in the restore volume!

>>>> So what? That "restore volume" wasn't active & posed no threat

>>>> unless you or the user selected that particular Restore Point.

>>>>

>>>

>>>

>>> You missed the point entirely..

>>>

>>> the root kit was able to "phone home"

>>>

>>> from within the restore volume.

>>>

>>> those Russian chaps are rather clever

>>

>> If the rootkit was phoing home, it was doing so from a location other

>> than the restore volume. Just because you are unable to detect it

>> doesn't mean it isn't there!

>>

>>

>

>

> I'll answer the both of you here:

>

> Wrong



Unsubstantiated.



It has already been established that certain rootkits are

next-to-impossible to detect.



The rootkit that you say was "hiding" in the restore point obviously

wasn't hidden! However, the rootkit very likely remained in the system

(the restore volume doesn't count unless you use SR, using that

particular restore point), hidden from you. And your situation is not

the only one.

 

[glee]

"Daave" wrote in message

news:Osej4ZwwKHA.4532@TK2MSFTNGP05.phx.gbl...

> philo wrote:

>> Daave wrote:

>>> philo wrote:

>>>> PA Bear [MS MVP] wrote:

>>>>> philo wrote:

>>>>>

>>>>>> About a year ago I repaired a machine that had been compromised.

>>>>>>

>>>>>> It had been used for on-line banking and credit card transactions

>>>>>> and two accounts had been hacked.

>>>>>>

>>>>>> First thing I did was scan for root kits in all the places one

>>>>>> would expect.

>>>>>>

>>>>>> Nothing found.

>>>>>>

>>>>>> After giving the machine a thorough scan...

>>>>>> the root kit was found "hiding" in the restore volume!

>>>>> So what? That "restore volume" wasn't active & posed no threat

>>>>> unless you or the user selected that particular Restore Point.

>>>>>

>>>>

>>>>

>>>> You missed the point entirely..

>>>>

>>>> the root kit was able to "phone home"

>>>>

>>>> from within the restore volume.

>>>>

>>>> those Russian chaps are rather clever

>>>

>>> If the rootkit was phoing home, it was doing so from a location

>>> other

>>> than the restore volume. Just because you are unable to detect it

>>> doesn't mean it isn't there!

>>>

>>>

>>

>>

>> I'll answer the both of you here:

>>

>> Wrong

>

> Unsubstantiated.

>

> It has already been established that certain rootkits are

> next-to-impossible to detect.

>

> The rootkit that you say was "hiding" in the restore point obviously

> wasn't hidden! However, the rootkit very likely remained in the system

> (the restore volume doesn't count unless you use SR, using that

> particular restore point), hidden from you. And your situation is not

> the only one.



Exactly. The only reason the rootkit can be detected in the restore

points IS because it is INACTIVE. The whole mode of operation of a root

kit (especially recent ones) is to be undetectable from within Windows.

Current root kits will not be detected by root kit scanners that run

from within Windows. Often a file will be detected as the root kit

because it was put there as a decoy by the root kit. Current root kits

infect system files and are literally undetectable unless a scan is done

from outside Windows (while Windows is not booted, IOW).

--

Glen Ventura, MS MVP Oct. 2002 - Sept. 2009

A+

http://dts-l.net/

 

[Daave]

glee wrote:

> "Daave" wrote in message

> news:Osej4ZwwKHA.4532@TK2MSFTNGP05.phx.gbl...

>> philo wrote:

>>> Daave wrote:

>>>> philo wrote:

>>>>> PA Bear [MS MVP] wrote:

>>>>>> philo wrote:

>>>>>>

>>>>>>> About a year ago I repaired a machine that had been compromised.

>>>>>>>

>>>>>>> It had been used for on-line banking and credit card

>>>>>>> transactions and two accounts had been hacked.

>>>>>>>

>>>>>>> First thing I did was scan for root kits in all the places one

>>>>>>> would expect.

>>>>>>>

>>>>>>> Nothing found.

>>>>>>>

>>>>>>> After giving the machine a thorough scan...

>>>>>>> the root kit was found "hiding" in the restore volume!

>>>>>> So what? That "restore volume" wasn't active & posed no threat

>>>>>> unless you or the user selected that particular Restore Point.

>>>>>>

>>>>>

>>>>>

>>>>> You missed the point entirely..

>>>>>

>>>>> the root kit was able to "phone home"

>>>>>

>>>>> from within the restore volume.

>>>>>

>>>>> those Russian chaps are rather clever

>>>>

>>>> If the rootkit was phoing home, it was doing so from a location

>>>> other

>>>> than the restore volume. Just because you are unable to detect it

>>>> doesn't mean it isn't there!

>>>>

>>>>

>>>

>>>

>>> I'll answer the both of you here:

>>>

>>> Wrong

>>

>> Unsubstantiated.

>>

>> It has already been established that certain rootkits are

>> next-to-impossible to detect.

>>

>> The rootkit that you say was "hiding" in the restore point obviously

>> wasn't hidden! However, the rootkit very likely remained in the

>> system (the restore volume doesn't count unless you use SR, using

>> that particular restore point), hidden from you. And your situation

>> is not the only one.

>

> Exactly. The only reason the rootkit can be detected in the restore

> points IS because it is INACTIVE. The whole mode of operation of a

> root kit (especially recent ones) is to be undetectable from within

> Windows. Current root kits will not be detected by root kit scanners

> that run from within Windows. Often a file will be detected as the

> root kit because it was put there as a decoy by the root kit. Current

> root kits infect system files and are literally undetectable

> unless a scan is done from outside Windows (while Windows is not

> booted, IOW).



Very good explanation!

 

[philo]

Daave wrote:

> philo wrote:

>> Daave wrote:

>>> philo wrote:

>>>> PA Bear [MS MVP] wrote:

>>>>> philo wrote:

>>>>>

>>>>>> About a year ago I repaired a machine that had been compromised.

>>>>>>

>>>>>> It had been used for on-line banking and credit card transactions

>>>>>> and two accounts had been hacked.

>>>>>>

>>>>>> First thing I did was scan for root kits in all the places one

>>>>>> would expect.

>>>>>>

>>>>>> Nothing found.

>>>>>>

>>>>>> After giving the machine a thorough scan...

>>>>>> the root kit was found "hiding" in the restore volume!

>>>>> So what? That "restore volume" wasn't active & posed no threat

>>>>> unless you or the user selected that particular Restore Point.

>>>>>

>>>>

>>>> You missed the point entirely..

>>>>

>>>> the root kit was able to "phone home"

>>>>

>>>> from within the restore volume.

>>>>

>>>> those Russian chaps are rather clever

>>> If the rootkit was phoing home, it was doing so from a location other

>>> than the restore volume. Just because you are unable to detect it

>>> doesn't mean it isn't there!

>>>

>>>

>>

>> I'll answer the both of you here:

>>

>> Wrong

>

> Unsubstantiated.

>

> It has already been established that certain rootkits are

> next-to-impossible to detect.

>

> The rootkit that you say was "hiding" in the restore point obviously

> wasn't hidden! However, the rootkit very likely remained in the system

> (the restore volume doesn't count unless you use SR, using that

> particular restore point), hidden from you. And your situation is not

> the only one.

>

>



I used the word "hiding"

as I needed to scan the drive from another system to detect it.



The rootkit was designed to operate from within the restore volume.



It's people such as you who think their machines are secure

that are vulnerable to the hackers



Ignorance is bliss as they say..

dream on.

 

[glee]

"philo" wrote in message

news:ucqdnVpQZICtwgHWnZ2dnUVZ_tOdnZ2d@ntd.net...

> Daave wrote:

>> philo wrote:

>>> Daave wrote:

>>>> philo wrote:

>>>>> PA Bear [MS MVP] wrote:

>>>>>> philo wrote:

>>>>>>

>>>>>>> About a year ago I repaired a machine that had been compromised.

>>>>>>>

>>>>>>> It had been used for on-line banking and credit card

>>>>>>> transactions

>>>>>>> and two accounts had been hacked.

>>>>>>>

>>>>>>> First thing I did was scan for root kits in all the places one

>>>>>>> would expect.

>>>>>>>

>>>>>>> Nothing found.

>>>>>>>

>>>>>>> After giving the machine a thorough scan...

>>>>>>> the root kit was found "hiding" in the restore volume!

>>>>>> So what? That "restore volume" wasn't active & posed no threat

>>>>>> unless you or the user selected that particular Restore Point.

>>>>>>

>>>>>

>>>>> You missed the point entirely..

>>>>>

>>>>> the root kit was able to "phone home"

>>>>>

>>>>> from within the restore volume.

>>>>>

>>>>> those Russian chaps are rather clever

>>>> If the rootkit was phoing home, it was doing so from a location

>>>> other

>>>> than the restore volume. Just because you are unable to detect it

>>>> doesn't mean it isn't there!

>>>>

>>>>

>>>

>>> I'll answer the both of you here:

>>>

>>> Wrong

>>

>> Unsubstantiated.

>>

>> It has already been established that certain rootkits are

>> next-to-impossible to detect.

>>

>> The rootkit that you say was "hiding" in the restore point obviously

>> wasn't hidden! However, the rootkit very likely remained in the

>> system (the restore volume doesn't count unless you use SR, using

>> that particular restore point), hidden from you. And your situation

>> is not the only one.

>

> I used the word "hiding"

> as I needed to scan the drive from another system to detect it.

>

> The rootkit was designed to operate from within the restore volume.

>

> It's people such as you who think their machines are secure

> that are vulnerable to the hackers

>

> Ignorance is bliss as they say..

> dream on.



Oh really? Name the rootkit that you claim was active and running from

inside a restore point. Name it, please....because everyone working for

every anti-malware company and every malware removal forum in existence

around the world would love to know which rootkit can do this...there is

no documentation anywhere that such a rootkit exists or is even

possible.

--

Glen Ventura, MS MVP Oct. 2002 - Sept. 2009

A+

http://dts-l.net/

 

[Daave]

philo wrote:

> Daave wrote:

>> philo wrote:

>>> Daave wrote:

>>>> philo wrote:

>>>>> PA Bear [MS MVP] wrote:

>>>>>> philo wrote:

>>>>>>

>>>>>>> About a year ago I repaired a machine that had been compromised.

>>>>>>>

>>>>>>> It had been used for on-line banking and credit card

>>>>>>> transactions and two accounts had been hacked.

>>>>>>>

>>>>>>> First thing I did was scan for root kits in all the places one

>>>>>>> would expect.

>>>>>>>

>>>>>>> Nothing found.

>>>>>>>

>>>>>>> After giving the machine a thorough scan...

>>>>>>> the root kit was found "hiding" in the restore volume!

>>>>>> So what? That "restore volume" wasn't active & posed no threat

>>>>>> unless you or the user selected that particular Restore Point.

>>>>>>

>>>>>

>>>>> You missed the point entirely..

>>>>>

>>>>> the root kit was able to "phone home"

>>>>>

>>>>> from within the restore volume.

>>>>>

>>>>> those Russian chaps are rather clever

>>>> If the rootkit was phoing home, it was doing so from a location

>>>> other than the restore volume. Just because you are unable to

>>>> detect it doesn't mean it isn't there!

>>>>

>>>>

>>>

>>> I'll answer the both of you here:

>>>

>>> Wrong

>>

>> Unsubstantiated.

>>

>> It has already been established that certain rootkits are

>> next-to-impossible to detect.

>>

>> The rootkit that you say was "hiding" in the restore point obviously

>> wasn't hidden! However, the rootkit very likely remained in the

>> system (the restore volume doesn't count unless you use SR, using

>> that particular restore point), hidden from you. And your situation

>> is not the only one.

>>

>>

>

> I used the word "hiding"

> as I needed to scan the drive from another system to detect it.

>

> The rootkit was designed to operate from within the restore volume.



Please provide documentation.