As someone who has been reading your threads with cquirke with great interest, the primary question in my mind is, "What website??" I know you said you have not visited it since Feb 16, but 5 months later it might be possible that it is still there.
I'm guessing that it's something of a, uh, personal nature, but I'm sure that there are at least a half-dozen people here who would promptly try to reproduce your symptoms with better tools to unshroud the mystery. If this mysterious chunk of code exists and is still out there, it would be good for the internet at large to capture and expose it.
Discussion on:
View:
Show:
that if I disclosed the name of the web site, then it is quite possible that they would sue me. They certainly want to pretend that each and every service which they offer is just innocent fun, but the site is on the MVPS HOSTS list for a reason.
According to an article that I read recently, perhaps in the New York Times, many web site owners and/or operators have begun suing their critics and detractors for libel, regardless of whether they actually have a case. They can be counter-sued for abuse of process when their suit is without merit, but the legal expenses to respond to such a suit with competent legal counsel are enormous for any individual. Who can afford justice nowadays?
Of course, I suppose that I could reinstall the old Hitachi HDD and re-image it from a disk & partition backup, then return to the web site, perhaps without using Sandboxie, just to acquire the malware. There is no doubt in my mind that it probably would be installed again, but it could be an improved version that I would never detect. There are many possibilities which I would prefer to consider very carefully before such an undertaking.
One problem is that Sunbelt Personal Firewall no longer exists, unless I can find it among the software which I stored on a CD-R/W that the drive will actually read. I've had difficulties and disappointments with doing that recently. So I need that or better software that would tell me when an executable has been modified since its most recent execution. There are utilities which can be used to create and to compare hashes of files, of course, just that they cannot alert me when such a change occurs.
More thinking to do. Probably a lot more learning, too.
According to an article that I read recently, perhaps in the New York Times, many web site owners and/or operators have begun suing their critics and detractors for libel, regardless of whether they actually have a case. They can be counter-sued for abuse of process when their suit is without merit, but the legal expenses to respond to such a suit with competent legal counsel are enormous for any individual. Who can afford justice nowadays?
Of course, I suppose that I could reinstall the old Hitachi HDD and re-image it from a disk & partition backup, then return to the web site, perhaps without using Sandboxie, just to acquire the malware. There is no doubt in my mind that it probably would be installed again, but it could be an improved version that I would never detect. There are many possibilities which I would prefer to consider very carefully before such an undertaking.
One problem is that Sunbelt Personal Firewall no longer exists, unless I can find it among the software which I stored on a CD-R/W that the drive will actually read. I've had difficulties and disappointments with doing that recently. So I need that or better software that would tell me when an executable has been modified since its most recent execution. There are utilities which can be used to create and to compare hashes of files, of course, just that they cannot alert me when such a change occurs.
More thinking to do. Probably a lot more learning, too.
Comodo with Defense + installed and in full force, has a HIPs that does a pretty good job warning about file manipulation, it also tries to sanbox untrusted files, but gives you the option to forgo sandboxing.
I've had pretty good luck with it over the years, but had to stop using it on my Media Center, because it is so leakproof it wasn't letting my "legal" DRM spies phone home. Comodo is working on the problem, but mean while, I feel naked to the web, without it.
I can't tell you how many times it has prevented attacks from formerly trusted sources, and I wouldn't doubt if it weren't a good factor as another piece of armor in the defense-in-depth, to fight Zeus variants.
I've had pretty good luck with it over the years, but had to stop using it on my Media Center, because it is so leakproof it wasn't letting my "legal" DRM spies phone home. Comodo is working on the problem, but mean while, I feel naked to the web, without it.
I can't tell you how many times it has prevented attacks from formerly trusted sources, and I wouldn't doubt if it weren't a good factor as another piece of armor in the defense-in-depth, to fight Zeus variants.
a play with the AVG Rescue CD on a couple of different systems. By no means a definitive test but it looks OK provided that you don't have a Intel Chip Set Video Card.
On 3 systems with Intel Video all relatively newish I've been unable to get any sort of usable display but with NVidia and ATI Video it works a treat. I did notice a few False Positives with EXE Install Programs but otherwise it cleaned up the systems and worked quite well.
Col
On 3 systems with Intel Video all relatively newish I've been unable to get any sort of usable display but with NVidia and ATI Video it works a treat. I did notice a few False Positives with EXE Install Programs but otherwise it cleaned up the systems and worked quite well.
Col
I will pass that info on to AVG. Do you think it's just lacking the correct drivers?
But I didn't get a Display at all not even the Menu System at the start of the Disc.
I just checked a MSI L720 which has Intel Video and it worked fine on all modes this week so I would tend to think that it's related tot he Hardware in the other systems.
Yep been a bad week and at 0600 hours I'm still waiting to get some sleep which may happen next week sometime the way that things are going at the moment. I've thrown this Disc at a few more systems since the above post and didn't run into any problems. Which is good because I just couldn't handle them right now.
Col
I just checked a MSI L720 which has Intel Video and it worked fine on all modes this week so I would tend to think that it's related tot he Hardware in the other systems.
Yep been a bad week and at 0600 hours I'm still waiting to get some sleep which may happen next week sometime the way that things are going at the moment. I've thrown this Disc at a few more systems since the above post and didn't run into any problems. Which is good because I just couldn't handle them right now.
Col
I ran it on an infected netbook and it did not resolve the issue. So, I am still of the same mind as most TR members. Rebuilding is just the easiest way to go.
If you have the insight to immediately make an image of a pristine system, that's even better.
If you have the insight to immediately make an image of a pristine system, that's even better.
always just rebuild. Ends up being same time or less but I have clients who are either quite particular about their setups or they have lost or never had the CDs for some software they "must" have. Have developed a method of logging into Safe Mode and getting a "foot-hold" on the system by installing or using an installed version of Malwarebytes. If Malwarebytes refuses to update then I know I have to deal with the "Fake AV" and must deal with it. Usually I can stop it from preventing Malwarebytes update by running most of the RKILL executables (all of which are on my USB). Once I get Malwarebytes updated and running it usually takes care of the trouble. Then I get login normally and install MS Essentials and clean up what remains. Have a program that's supposed to allow installation of Essentials and other such programs in Safe Mode but have yet to try it.
is how to deal with malware that embeds itself into self created disk sectors flagged for damage. What does a guy have to do to get low level formatting to write to previously flagged sectors?
Flash the drive controller?
Flash the drive controller?
this has happened? I've never heard of this and if does it certainly is not common. What shows it's sectors flagged for damage? I'm assuming even sectors flagged for damage can be cleared/overwritten. But I'm interested to know what you have, what OS, and what you've tried and how you came to conclusions you've stated.
are reporting this. One of them said he had a bunch of MacBook users that caught something on limewire, and after nuking the drive, the drive still had obvious malware files still on it. They were looking at the drive with Linux LiveCDs. I ran onto this discussion on an article about firmware infected MacBooks. Some of them had been shipped with an infection in the keyboard controller - apparently. I don't remember if it was ZDNet or Tech Republic.
Same with Windows units - after nuking the drive the infection returns. Looking at the wiped drive later shows the malware files still on the drive. These folks were using Windows of all flavors, all the them had limeware on the machine before the disaster, they all tried at least reformatting, and at most DBAN to try to blow it away.
I've got to assume this is how the malware is accomplishing this. My clients won't bring them in for me to try something, they just throw the PC or hard drive away. I was hoping the factory original low level formatting would do the trick, as I think I cured at least one PC of this same problem. Only I didn't look at the drive with Knoppix like I usually would have, because I wasn't suspecting infection to cause the goofy drive tests I was getting.
I just assumed the newbie who installed the operating system on a amateur system build, had incorrectly set the drive geometry. After I worked it over it was fine and it is still operating - but I never looked at the drive before conditioning it with the factory disk utility. That incident was another P2P disaster.
Same with Windows units - after nuking the drive the infection returns. Looking at the wiped drive later shows the malware files still on the drive. These folks were using Windows of all flavors, all the them had limeware on the machine before the disaster, they all tried at least reformatting, and at most DBAN to try to blow it away.
I've got to assume this is how the malware is accomplishing this. My clients won't bring them in for me to try something, they just throw the PC or hard drive away. I was hoping the factory original low level formatting would do the trick, as I think I cured at least one PC of this same problem. Only I didn't look at the drive with Knoppix like I usually would have, because I wasn't suspecting infection to cause the goofy drive tests I was getting.
I just assumed the newbie who installed the operating system on a amateur system build, had incorrectly set the drive geometry. After I worked it over it was fine and it is still operating - but I never looked at the drive before conditioning it with the factory disk utility. That incident was another P2P disaster.
on this. I'm not surprised it's linked with Limewire as I've had many runins with it being on the system and causing malware headaches. I warn my clients and try to discourage them from using it by explaining how they are basically causing their PC to "kiss" every other PC with Limewire out there and so can catch the "kissing" diseases 
Most are thankful for the heads-up and take action from there.
I'm a bit surprised that DBAN and the likes would not clean the surface. Has this been confirmed that this is actually the case? I don't like rumors in place of facts. Unless they are somehow using a CD run DBAN or floppy which is infected as well or there's an attached drive with infection or the BIOS is infected. Would sure like to get to the bottom of this before it happens to one of my clients.
Can we keep in touch? And if valid let's let Michael Kassner know as well.
Thanks,
Doug
Most are thankful for the heads-up and take action from there.I'm a bit surprised that DBAN and the likes would not clean the surface. Has this been confirmed that this is actually the case? I don't like rumors in place of facts. Unless they are somehow using a CD run DBAN or floppy which is infected as well or there's an attached drive with infection or the BIOS is infected. Would sure like to get to the bottom of this before it happens to one of my clients.
Can we keep in touch? And if valid let's let Michael Kassner know as well.
Thanks,
Doug
I will try to do a better job capturing the opportunity to get an example of this, if I can catch my newer clients in the act.
The guys with the MacBooks sounded like they were pretty competent, and they were all ZDNet members in good standing. They were using LiveCDs to view the files, but I thought they said they were using the OSX installation utility to format the drives, but I can't tell you for sure the folks using DBAN are reliable informational sources.
The articles I've read on the subject claim this does happen, but I can't remember what tools they were using to clean the drives, just what they were looking at them with after each attempt.
I've added you as a contact, so you should be able to contact me directly through the TR site. I get emails from other members this way. Obviously I don't publish email addresses, because of data miners.
The guys with the MacBooks sounded like they were pretty competent, and they were all ZDNet members in good standing. They were using LiveCDs to view the files, but I thought they said they were using the OSX installation utility to format the drives, but I can't tell you for sure the folks using DBAN are reliable informational sources.
The articles I've read on the subject claim this does happen, but I can't remember what tools they were using to clean the drives, just what they were looking at them with after each attempt.
I've added you as a contact, so you should be able to contact me directly through the TR site. I get emails from other members this way. Obviously I don't publish email addresses, because of data miners.
come to mind... 1. how would a virus/trojan prevent itself from being removed/overwritten by a drive wipe program, especially one run from a Live CD? 2. how could a virus/trojan "reinsert" itself into the new OS when the OS get's installed over a wiped drive?
I'm looking for reasonable answers here. In fact I'd like to see some links or posts and even be able to connect personally with those who are claiming this happens. Pardon my skepticism but I do deal with real world scenarios all the time and there's always a reasonable explanation for everything that happens.
I'm looking for reasonable answers here. In fact I'd like to see some links or posts and even be able to connect personally with those who are claiming this happens. Pardon my skepticism but I do deal with real world scenarios all the time and there's always a reasonable explanation for everything that happens.
It embeds itself in Sectors of the HDD reported as Dead. When you run a Utility Like Boot & Nuke or Kill Disc it ignores the Sectors Marked as Bad so the infection survives.
The only solution is to do a Low Level Format which used to be possible in some old BIOS but isn't all that available now days.
I however may be wrong in my understanding of this I haven't personally experienced it.
Col
The only solution is to do a Low Level Format which used to be possible in some old BIOS but isn't all that available now days.
I however may be wrong in my understanding of this I haven't personally experienced it.
Col
as I wasn't actually meaning to point to those in this example(although the Apple incident was).
I was talking about rootkits or other malcode that can do just that.
Since I've never been able to correct drive geometry problems without a factory utility, I assumed that may be the only software that takes direct control of the drive(controller), to correct any faults, including the already mentioned hidden, or fake hidden sectors.
I realize I'm working with a lot of assumptions, but I've done enough recovery operations with bad drives that I feel like I have some good instincts with this. My 30 years in the automation repair business, also gave me good instincts on what makes hardware/software tick.
But, that is all I have to go on - not scientific fact. TR has several articles on these type of attacks, I'm pretty sure Michael was in on one of them. I just do a search on the TR console when I have time to. Sorry I don't have the links. HAL is on the right track about what I'm talking about.
I was talking about rootkits or other malcode that can do just that.
Since I've never been able to correct drive geometry problems without a factory utility, I assumed that may be the only software that takes direct control of the drive(controller), to correct any faults, including the already mentioned hidden, or fake hidden sectors.
I realize I'm working with a lot of assumptions, but I've done enough recovery operations with bad drives that I feel like I have some good instincts with this. My 30 years in the automation repair business, also gave me good instincts on what makes hardware/software tick.
But, that is all I have to go on - not scientific fact. TR has several articles on these type of attacks, I'm pretty sure Michael was in on one of them. I just do a search on the TR console when I have time to. Sorry I don't have the links. HAL is on the right track about what I'm talking about.
A Image of a Fresh Install is always better as a Fall Back Option.
I do it with all of the systems that I make but unfortunately I don't only work on the ones that I make.
Col
I do it with all of the systems that I make but unfortunately I don't only work on the ones that I make.
Col
UBCD4WIN.com these guys assemble all the best freeware tools for you and they write the tool for you that helps you build the CD/DVD and even USB pen drive. You just need a valid Windows XP CD.
You forgot to mention that Norton will ONLY work if you have one of their antivirus or internet security installed, as it asks for the PIN number or Product Key number. Therefore NORTON gets a MINUS 10 from me.
Hello, I happen to find many of the rescue disks have errors or don't work at all. Dr. Web, tried many times on many different computers, and kaspersky has never worked, I get the main green screen and then it just doesn't do anything. I have tried on all platforms of windows and several different manufatures of computers. So what's the deal. Have they stopped making them. Have they gone the way of Norton which you have to have a code? It really annoying.
Also on some of them when you do a download it asks you were to place the download? I have no idea. How do you find out where the proper place to put the download in is. I would like to use these types of boot CD's more often. Right now I find Sardu to be very good as it offers several downloadable antivirus boot cds. Though when they don't work I go to the main website to get the download, and find it doesn't work there either. What's up with that. Any idea what I am doing wrong
Also on some of them when you do a download it asks you were to place the download? I have no idea. How do you find out where the proper place to put the download in is. I would like to use these types of boot CD's more often. Right now I find Sardu to be very good as it offers several downloadable antivirus boot cds. Though when they don't work I go to the main website to get the download, and find it doesn't work there either. What's up with that. Any idea what I am doing wrong
- Keyboard Shortcuts:
- Prev
- Next
- Toggle
