Precautions needed during scanning? - Page 2

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Re: Precautions needed during scanning?


| On Fri, 8 Oct 2010 06:29:56 -0400, "David H. Lipman"


Quoted text here. Click to load it


















| Well, I don't know much about SATA yet, but it has an L shaped
| connector slot on both ends of the included cable.  That means SATA
| iiuc, right?

eSTATA means External SATA and has a different cable that plain SATA which is an
internal
cabling.  If the cable is a 'L' shape it is just SATA.



--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Precautions needed during scanning?


Quoted text here. Click to load it

[...]

If Kaspersky is false alarming on a standard MBR, that would be very
embarrassing for them, and I suspect more than one person would be here
asking about it. Even fairly common non-standard MBR's should have been
vetted by the QC process.



Re: Precautions needed during scanning?


Quoted text here. Click to load it

Just a thought. :)


--
Some people are like a Slinky. Not much good for anything, but you can't
help but smile when one tumbles down the stairs.

Re: Precautions needed during scanning?

wrote:

Quoted text here. Click to load it

I'm pretty sure now it was really a problem, but that means the other
five software things I used fail to notice the problem.

Re: Precautions needed during scanning?


Quoted text here. Click to load it

It would have been nice to be able to acquire a dump of that mad mbr
for a closer inspection... :(


--
Some people are like a Slinky. Not much good for anything, but you
can't help but smile when one tumbles down the stairs.

Re: Precautions needed during scanning?



Quoted text here. Click to load it










| It would have been nice to be able to acquire a dump of that mad mbr
| for a closer inspection... :(


I'm sure Gmer and Ad what like to have it as well  :-)

--
Dave
Multi-AV Scanning Tool - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Precautions needed during scanning?

On Fri, 15 Oct 2010 18:26:21 -0400, "David H. Lipman"

Quoted text here. Click to load it

I wish I'd thought of that.  If it comes again somewhere, I still
don't know how to copy an mbr.


Re: Precautions needed during scanning?


| On Fri, 15 Oct 2010 18:26:21 -0400, "David H. Lipman"



Quoted text here. Click to load it













| I wish I'd thought of that.  If it comes again somewhere, I still
| don't know how to copy an mbr.

There are utilities for capturing it.  All you have to do is ask.


--
Dave
Multi-AV Scanning Tool - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Precautions needed during scanning?

Quoted text here. Click to load it

Assuming the machine uses a standard XP MBR, that should do it (for the
MBR).

Also assuming that Kaspersky was thorough with dealing with malware
*files*. As Dustin pointed out, a malicious sys file being executed
after the MBR etc...hands off to the OS could revert you back to square
one.

Some rootkits might write the displaced MBR code directly to the
harddrive (not in a *file*), but I'm not sure which ones do this (as I
recall, TDSS is a "family" name). Anyway, and such hidden code would be
neutered - as an active component would be needed in order to access it.

Quoted text here. Click to load it

I'm thinking that they mean the "database" - not the program per se. I'm
sure they realize that a database a week old may prove useless for many
users (malware is a fast-paced business).

Quoted text here. Click to load it

Yes, that's how it works with worms and viruses. Are we talking about
'Rootkit.win32.TDSS.mbr'  specifically (which is neither worm nor virus,
but a rootkit in support of related malware), or the varied and sundry
malware collection? It might be worthwhile to mention that some malware
components can be dropped by other unrelated malware and when executing
can in turn bring in more unrelated malware.

(all of which, if "known", Kaspersky should be capable of dealing with)

Quoted text here. Click to load it

Yes, most people like to have them on read-only media, I think they're
just saying that you should create *fresh* read-only media from an
updated "database" if you insist on using read-only (Write Once Read
Many) media. The whole idea is to not be executing malware while
rescuing a system. If the malware isn't executing, it won't "spread" to
the read/write media (although one might inadvertantly copy some
components there).

Quoted text here. Click to load it

I don't know, but I assume that is correct.

Quoted text here. Click to load it

Yes, I would think so, that is if those people desire to do an
unattended scan. Many people like to take advantage of the ability for a
scanner to operate in the background on a schedule while they continue
to work on other computer tasks, maybe that is why it is the default.

...although, on a rescue CD, I don't really see the point. I would much
rather check a log at the end of the scan.

That being said, that's not how I use my resident and on-demand
scanners. I have Avira active and ClamWin doing an on-demand scan, every
file ClamWin accesses gets scanned also (on-access) by Avira. Twice the
fun when my malware directory gets scanned.

Quoted text here. Click to load it

According to my unique definition of "heavily infected" none of this
should be done.

Flatten/Rebuild!

If that's not an option, you seem to be on the right track (but do back
ups first, and convince the user of the importance of doing them). Next
time, Flatten/Rebuild would be the easier option.

Quoted text here. Click to load it

It's just a place that malware can hide, you would think that an
on-access scanner would be able to catch such when they are expanded as
a matter of course (provided it is 'looking' at the time, which might
not be the case).



Re: Precautions needed during scanning?

On Thu, 7 Oct 2010 08:21:33 -0400, "FromTheRafters"

Quoted text here. Click to load it

Okay.

No.  Just a general question.  I wrote these three questions before
Kaspersky found that one.

Quoted text here. Click to load it

Yes, that's well worth mentioning, because afaik, I started with two
instances of one thing, and yeseterday I had 15 or 20 different kinds
of malware.**   I suspected it wasn't a coincidence.

**Not sure how many I have now.

Quoted text here. Click to load it

Okay, good.  So far they all download updates, added virus
definitions.   Panda took an hour to do that, fwiw, but I had plenty
else to do while waiting.

Quoted text here. Click to load it
Thanks,

And thanks a lot for the whole post

Re: Precautions needed during scanning?

Quoted text here. Click to load it
[...]

Quoted text here. Click to load it



You're welcome, and good luck.



Re: Precautions needed during scanning?

wrote:

Quoted text here. Click to load it

Follow-up on what has happened since last Wednesday:

AFAICT the computer is fixed now. I'm going to leave it up to my
friend to test more functions, although she uses very few functions.
So this is just let you all know what I did and what happened, since
you were nice enough to help me.

What I did since Wednesday:

After scanning with Panda and Kaspersky, as described above, I scanned
with BitDefender and it found and deleted 5 infected files with four
different trojans.

Then I used the CD version of AVG and found and deleted only 3
tracking cookies.

Sometime during this process, I tried to get into the BIOS, but
couldn't' because a password requirement had suddenly appeared (I'd
entered the BIOS before with no password) but I decided this wasn't' a
critical problem. Later I found software that decoded the hash number,
and I went into the bios and removed the password.

Then I debated about fixing the MBR problem right away or trying to
start Windows.  I chose the latter.

Windows partially started, with few error boxes.

One was SVCHOST.EXE Application error. The instruction at "0x00000000"
referenced memory at "0x00000000".  The memory could not be "written".
I googled this but didn't find much with both same addresses.  

Also, it only got to the Choose Persona screen and I would click on
one, and 3 seconds later it would close the persona with the message
Saving Settings.  I could either repeat that failed attempt or exit.

I thought of the mbr problem and even though it now doesn't seem
related, I thought I should fix it.  I tried to use XP installation
disk Recovery Console fixMBR to fix the MBR, but it would read the CD
for a couple minutes, the CD light would flash, and then it would
start to boot as if there were no CD.  Actually, the first couple
times were worse. This happened very quickly, it paused about 10
seconds, and I didn't even see the light go on, and since I knew I had
deleted parts of windows, I was also scared that I had deleted/ruined
that part of the file system that could use a CD.  I didn't know what
I would do then, if it didn't start and wouldn't read a CD.  I went to
sleep thinking maybe I had totally ruined her computer.

The next day I tried one of the AV boot CD's again, and it could read
that, even though it still couldn't read my XP CD, a copy admittedly,
but it did work on my computer.  Hmmm.  Maybe the problem was that it
wasn't HP?  But I've read that any WinXP Install CD should be able to
repair an XP installation.


Even though I checked ever infected file before deleting them and
didn't see anything I thought basic to windows, I figured I had
deleted something important**, and decided to install Windows over the
current Windows using the HP XP SP3 CD that came with the computer.

**Indeed I had.  By this time I had forgotten what all was on the list
that Panda, the first one I ran, deleted, but I see it includes
C]\windows\system32\winlogon32.exe and wshudh32.dll. I haven't checked
but I think these could be responsible for failure of Windows to
start.  At Panda time, I hoped they wouldn't matter that much, and I
deleted them, even if Panda might have -- I don't remember -- offered
to disinfect them.  Which should I have done?

Even though MS makes little or no effort to say how to do this, I got
it done but afterwards there were still problems.

Still some problems so I reinstalled Windows again.  I had a good
reason at the time, possibly incorrect but good, but I forget what it
was.

So I ran CCleaner, and let it delete almost everything it wanted to.
She goes mostly to 3 or 4 websites and any history that is lost she
can recreate.   Fewer errors now and the remaining errors seemed to
have to do with Norton Anti-Virus.

Running Windows, every time I clicked on a file in my windows explorer
equivalent, Norton AV kept trying to install itself, but several steps
in , it couldn't find Symantic Antivirus.msi.  None of the AV scanners
tried to delete that, but it wasn't there.  I installed AVG because it
had to have something until NAV was fixed.   Eventually I talked to my
friend and she had no special affection for NAV, so I uninstalled as
much as I could. I hear there is one file or registry entry that won't
uninstall, but maybe it won't bother her.

I ran TDSSKiller from within windows to fix the MBR problem.  I ran it
3 times, rebooting after each time, and each time it said the problem
was still there. The next day it didn't say that. ?

IE6 didn't work, it started and then after 10 seconds told me it had
to close again. I installed Firefox from a copy I keep on my
flashdrive.  

Firefox opened and stayed open but didn't work because I couldn't
connect to the internet.  The icon in the systray recognized my
wireless network, called it by name, and I plugged in a cable to the
router, but neither method together or alone would connect.  I tried
"Wireless Network Wizard" but it looked like it would do more than I
wanted, so I stopped before it did anything.

Also Start/Run would work with some commands, but not MSINFO32.

Task Manager, Cntl-alt-delete, also didn't work, so I dl'd and
installed SuperAntiSpyware, which includes a set of repair tools, one
of which is to repair Task Manager after malware ruins it.  It took 5
seconds and TM worked again.

I ran the other repair tools, unless they were clearly meant for
things that I knew worked, or they were for "policy" matters. Maybe I
should have run the policy ones too.   I saw no change from these
other tools.

I rebooted more than once during this time.

I went to bed thinking IE, the internet, and msinfo32 didn't work.

The next day they all worked.

I installed AVG Free since I had to have something until Norton
worked. Later she told me she didn't care about Norton so I
uninstalled Symantic AV and also Live Update, and deleted one more
Norton program I came across the start/program list.

I scanned the whole SSD with AVG and found no problems. Earlier I had
rescanned with the PANDA boot CD, which also updates its defs from the
net, and found no problems.

I went through the msconfig startup program box as HP set it up and
found 5 startups related to reading or translating east Asian
languages. She said she never does that so I unchecked them.  I found
two related to easily changing video settings, like if one uses a
full-size monitor sometimes.  She never does that so I unchecked them.

I found HP mobile broadband, which AIUI she would have to pay extra to
use, like 40 dollars a month??  Nonetheless it was already installed
and running, so I unchecked that.**  

She also has nothing that uses Bluetooth, so I unchecked that.

Startups I disabled, some already referred to above, include igfxtray,
igfxpers, IMEKRMIG, IMJPMIG, ImScInst, two copies of TINTSETP, and
Bluetooth.

I also disabled rundllxxxx in msconfig, when I suspected it was
malware.  Now I know it is, and in the XP group I learned where
disabled startup entries are kept (It's not run- like in 98) but I
haven't gone there to remove this.  Maybe I won't since the file
itself is gone.   Isn't this something CCleaner would find and remove
if I ran it again? OTOH, I don't think any of the virus scanners found
rundllxxxxx.

I also found a reference to smss32.exe somewhere, and deleted that. I
think Panda had already deleted the file.  This is not to be confused
with smss.exe, which is a valid windows file, though I read it is
often a virus too when found in the wrong directory.

I did, of course, leave a startup I've never seen that enables the
scrolling function of the touchpad.   I also left Key Commands, hkcmd,
and 2 sttray entries, and MCCITrappApp, VerizonServicePoint, and
AESTFltr, called Echostop, which came from the factory and seems to be
about improving sound quality.  Maybe there was reverb from the
speakers and microphone, and that's what they mean by echo?

Maybe a couple little things I have forgotten, but they would be
obvious to someone who made it this far.

Soon after I started running Automatic Update supplied 32 updates, and
the following day 36 updates, including IE8.  I think maybe 3 updates
later.   Firefox supplied an update too, but only to v3.5.13 even
though days ago it had provided me with v3.6.10.   I wonder why that
is, and if it will upgrade again soon.

And now it works fi... Well, just as I'm patting myself on my back, I
get a bubble that says no AV and AVG says There are no active
components  !  It's 1:44, and the computer was started 10 or 15
minutes ago.  What's going on.  The first thing I did is turn off the
wireless internet connection.    Now it's 1:47 and AVG says it is all
working correctly.  I've had this in my own computer for 5 or 10
seconds, but here, with a faster CPU, it took maybe 3 minutes to
activate.  Hmmm. It seems like it started to update virus definitions
soon after I turned it on, and when it was done but the computer not
restarted, it said AVG wasn't working.  I've never had that, but this
is version 11 Free, which I dl'd 2 days ago.  Even though I have
automatic  updates, it hasn't tried or offered to update my version 10
Free to version 11 Free.   Maybe I should do it by hand.

Version 11 Free has an on-demand (and maybe schedulable) rootkit
scanner.  It also has PC Analyser which on demand and maybe live finds
Registry Errors, Junk Files, Fragmentation, and Broken Shortcuts.
However I don't think it will fix them unless you buy AVG Pro, haha,
but I can take each one out by hand if I want to. I did remove some.
This computer has a Solid State Drive and there is no point to
defragging it. With older SSDs it was unneeded harmful wear and tear
to defrag the drive.

Okay, despite this interruption, it is working fine now.


 **(There is also something called Verizon Wifi, which is iiuc free
for people with Verizon DSL but not the slowest Verizon DSL. However
it has no hotspots in 5 zipcodes in Baltimore, and only one hotspot in
21201, the heart of downtown, I think!   In NYC it does better.  A
webpage says it has 150 hotspots and they plan 1000 by year end.
Unfortunately, they don't say what year, and there is no date on the
webpage.  How typical!)

Quoted text here. Click to load it

Yes, this appears to be true.  I ran Kaspersky again without checking
the settings and indeed, I think it stopped right after it examine the
MBR, which still had a problem.  I canceled that scan, changed the
setting, and ran it again.

Quoted text here. Click to load it

Thanks again for all your help.

MM

Site Timeline