Win32/RAMNIT.A Anyone?

A friend of mine that does virus removal as part of his business swears
by MalwareBytes

http://www.malwarebytes.org/mbam.php

David Kaye

2010-07-27 05:27:55 UTC

Post by Roy
A friend of mine that does virus removal as part of his business swears
by MalwareBytes

I do this professionally as well. I asked *specifically* for comments from
people who have *experience* with this threat. I used MalwareBytes
Antimalware several times including the complete disk scan for 2 1/2 hours.
It did not detect anything.

Again, I'm interested in hearing only from people who have *experience* with
Win32.Ramnit.A

Thank you.

Buffalo

2010-07-28 03:09:55 UTC

Post by David Kaye

Post by Roy
A friend of mine that does virus removal as part of his business
swears by MalwareBytes

I do this professionally as well. I asked *specifically* for
comments from people who have *experience* with this threat. I used
MalwareBytes Antimalware several times including the complete disk
scan for 2 1/2 hours. It did not detect anything.
Again, I'm interested in hearing only from people who have
*experience* with Win32.Ramnit.A
Thank you.

Well, have you tried PC Butts' Remove-it software?

Whee Haw!!!
Buffalo

David H. Lipman

2010-07-27 10:07:52 UTC

From: "David Kaye" <***@yahoo.com>

| Sorry about the crosspost to ba.internet, but I know there are malware experts
| out there.

| Does anybody have EXPERIENCE with Win32/RAMNIT.A ? I'm having a devil of a
| time removing it. The only tool the detects it consistently is MS Security
| Essentials, and MSSE keeps counting it and "disinfecting" it.

| I'm not sure if it's a virus or a worm. MSSE says it's a virus, but I can't
| figure out what's launching it.

| I have eliminated one rootkit and subsequent scans show no more rootkits.
| This thing has dropped startup payloads into the StartUp folder, into the Run
| keys, into Prefetch, and it masquerades as everything from random 4-letter
| clusters to names like "Microsoft Suite", etc.

| It also captures the date when Windows was first installed, so I can't
| reliably search for the thing via date, either.

| Whenever MSSE detects a new round of infections (15, 78, all kinds of counts)
| the infections are in everything from drivers to executables in all kinds of
| directories.

| At the moment I'm running the computer in safe mode with no Internet and MSSE
| is not detecting any more Ramnit. I've scanned it 3 times. But as soon as I
| go back into regular mode and get an Internet connection back up it'll start
| infecting again.

| Oh, and I've reset the Winsock stack twice just in case there's a little
| wedgie in there. Still comes back.

| Any help would be most appreciated. You can reach me directly by email. The
| address is valid.

| Thanks.

What is the fully qualified name and path to the file deemed infected with RAMNIT.A and
did you capture a copy of this malware ?

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

David Kaye

2010-07-27 10:37:03 UTC

Post by David H. Lipman
What is the fully qualified name and path to the file deemed infected with RAMNIT.A and
did you capture a copy of this malware ?

There are a bunch of folders named such things as FUEM and AVAX, with exes
under them with randomly generated 4 and 5 character letters. These are under
the user's temp folder. They do not occur when using the admin account.

Additionally, there is a folder under Program Files with the name Microsoft,
and the exe is called Desktoplayer.exe. This exe is launched via the same
registry entry that launches UserInit.

Reducing the string so that it launches only UserInit and removing the files
mentioned here under safe mode won't stop them from being re-created the next
time I boot into regular mode.

I removed MSSE and installed Avast instead because MSSE kept noting the
infections, dealt with them, and then more kept appearing seconds later.
Under Avast, a 2-hour scan revealed 4300 infected files. I couldn't move them
all to quarantine so I had to erase some. Unfortunately, this affected some
critical app files (not Windows OS files, though). So, Firefox crashes, IE
wants the Office install disk, Picassa hangs, etc.

Also, the Explorer search feature has the doggie but no text boxes for
searching, and menu items are missing.

Thus, it looks like the OS is hosed, so I'll have to reinstall. Only trouble
is that this customer has a boatload of Word docs, spreadsheets, jpgs, mp3s
and whatnot. I'm hoping that the docs and xls's aren't infected with malware
macros.

This problem was first talked about in January apparently at Trend, but I
don't see much else in reference to it until 3 days ago, and there are a bunch
of forums where people are getting this infection. So, it looks like we're
right at the cusp of a major outbreak.

It's annoying as hell. In over 8 years of doing malware repair this is in the
top 2 for awfulness.

I think the customer got the infection via maybe Limewire, a torrent or
the Bang Bros porn website (or maybe from a link to it) because the logs
indicate similar datestamps to the first date stamps on the malware.

Oh, and the first thing I did was manually roll back the registry using a CD
boot disk. There were about 3 dozen entries. I rolled it back about halfway
(about 15 restore points) earlier, which took it to July 13. So, the
infection must have been there prior to that. When I went back to manually
roll back further, I noticed that the malware had deleted every restore point
(snapshot) except the latest 3. I ran an undelete CD on it and couldn't find
where the other restore points went, so they were probably overwritten.

I'm going to bed.

Virus Guy

2010-07-27 12:06:23 UTC

Post by David Kaye
Does anybody have EXPERIENCE with Win32/RAMNIT.A ? I'm having a
devil of a time removing it.

If at all physically possible, the standard proceedure for insuring that
any hard drive is free of malware (trojans, viruses, rootkits, spyware,
etc) is to remove the drive and connect it as a slave to a known/good
computer that has competent anti-malware software on it.

The suspect drive can then be scanned in a way that insures that any
malware on it is not operational and therefore not actively thwarting
the scanning and file-quarantine processes in any way.

David Kaye

2010-07-27 20:33:46 UTC

Post by Virus Guy
If at all physically possible, the standard proceedure for insuring that
any hard drive is free of malware (trojans, viruses, rootkits, spyware,
etc) is to remove the drive and connect it as a slave to a known/good
computer that has competent anti-malware software on it.

Already did that. Jeez, you guys are no help whatsoever. Thanks for nothing,
friends. The only responses I've gotten are about things I've already done.
As stated here earlier, I am a professional who has been doing this stuff for
8+ years. This is why I've asked specifically for someone who has experience
with THIS PARTICULAR infestation.

David H. Lipman

2010-07-27 20:43:07 UTC

| Already did that. Jeez, you guys are no help whatsoever. Thanks for nothing,
| friends. The only responses I've gotten are about things I've already done.
| As stated here earlier, I am a professional who has been doing this stuff for
| 8+ years. This is why I've asked specifically for someone who has experience
| with THIS PARTICULAR infestation.

Then Dave, state what you have done when you make an intial post!

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

David Kaye

2010-07-27 21:07:55 UTC

Post by David H. Lipman
Then Dave, state what you have done when you make an intial post!

I've already stated most of what I've done in two previous posts. I've been
posting in these newsgroups for some time, so people are well aware that I'm
not a newbie to this stuff.

I'm not looking for speculation, I'm looking for real experience with this
specific infection, since it's very different from anything I've encountered
before.

I'm surprised that nobody here has seen it before. Does this mean that I'm
the only one who sees these kinds of things? If so, does that mean that most
of the people on here have no real-world experience with malware? That's what
the situation appears to be so far.

Sure you, David, must have experienced Win32/Ramnit.A in the 6 months since it
launched. Or instead of being behind the curve on this infection, I'm
actually far ahead of the curve?

Steve Pope

2010-07-27 21:20:53 UTC

Post by David Kaye
I'm not looking for speculation, I'm looking for real experience with this
specific infection, since it's very different from anything I've encountered
before.
I'm surprised that nobody here has seen it before. Does this mean that I'm
the only one who sees these kinds of things? If so, does that mean that most
of the people on here have no real-world experience with malware? That's what
the situation appears to be so far.
Sure you, David, must have experienced Win32/Ramnit.A in the 6 months since it
launched.

It may be that MSE calls it "Ramnit.A", but other products have
different names for it which is why nobody has seen it.

Steve

~BD~

2010-07-27 22:01:14 UTC

Post by Steve Pope

It may be that MSE calls it "Ramnit.A", but other products have
different names for it which is why nobody has seen it.
Steve

You are right, Steve!

http://www.sophos.com/security/analyses/viruses-and-spyware/w32patchedi.html?_log_from=rss

Steve Pope

2010-07-28 00:39:25 UTC

Post by ~BD~

Post by Steve Pope
It may be that MSE calls it "Ramnit.A", but other products have
different names for it which is why nobody has seen it.

You are right, Steve!
http://www.sophos.com/security/analyses/viruses-and-spyware/w32patchedi.html?_log_from=rss

That could help the OP. Looks like the virus is a month or so old.
It may not be the same morph that Sophos can clean, but it's a start.

Steve

David H. Lipman

2010-07-27 23:02:39 UTC

Post by David H. Lipman
Then Dave, state what you have done when you make an intial post!

| I've already stated most of what I've done in two previous posts. I've been
| posting in these newsgroups for some time, so people are well aware that I'm
| not a newbie to this stuff.

| I'm not looking for speculation, I'm looking for real experience with this
| specific infection, since it's very different from anything I've encountered
| before.

| I'm surprised that nobody here has seen it before. Does this mean that I'm
| the only one who sees these kinds of things? If so, does that mean that most
| of the people on here have no real-world experience with malware? That's what
| the situation appears to be so far.

| Sure you, David, must have experienced Win32/Ramnit.A in the 6 months since it
| launched. Or instead of being behind the curve on this infection, I'm
| actually far ahead of the curve?

I have never heard of the "Ramnit" trojan. But, there are 100's of thousands out there
and it isn't a major family/player.

I was actually hoping you may have had a sample you could have uploaded to http://www.uploadmalware.com/

BTW: I re-read this thread. Nowhere did I see anything about the removal of the hard
disk and scanning it with a surrogate platform as suggested by Virus Guy. Whiles this can
have drawbacks, it does have the propensity of removing protected malware.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

Ant

2010-07-28 00:44:30 UTC

Post by David H. Lipman
I have never heard of the "Ramnit" trojan. But, there are 100's of
thousands out there and it isn't a major family/player.

Symantec wrote something about it in Jan this year. Apparently, it's a
worm that spreads through removable drives and infects executables (so
it's also a virus). Copies itself to the recycle bin and creates
autorun.inf files on all drives.

http://www.symantec.com/security_response/writeup.jsp?docid=2010-011922-2056-99

The Ramnit!html and Ramnit!inf designations were for html and inf
files infected by Ramnit.

What D. Kaye has is possibly a new variant.

Post by David H. Lipman
I was actually hoping you may have had a sample you could have
uploaded to http://www.uploadmalware.com/

Yes, if a sample was available I could probably discover exactly what
it did (given a little time). Anyway, since so many infected files
were reported in an earlier post it's just as well he's doing a wipe
and reinstall.

David H. Lipman

2010-07-28 01:07:23 UTC

Post by David H. Lipman
I have never heard of the "Ramnit" trojan. But, there are 100's of
thousands out there and it isn't a major family/player.

| Symantec wrote something about it in Jan this year. Apparently, it's a
| worm that spreads through removable drives and infects executables (so
| it's also a virus). Copies itself to the recycle bin and creates
| autorun.inf files on all drives.

| http://www.symantec.com/security_response/writeup.jsp?docid=2010-011922-2056-99

| The Ramnit!html and Ramnit!inf designations were for html and inf
| files infected by Ramnit.

| What D. Kaye has is possibly a new variant.

Post by David H. Lipman
I was actually hoping you may have had a sample you could have
uploaded to http://www.uploadmalware.com/

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

David Kaye

2010-07-28 01:33:38 UTC

Post by Ant
Symantec wrote something about it in Jan this year. Apparently, it's a
worm that spreads through removable drives and infects executables (so
it's also a virus). Copies itself to the recycle bin and creates
autorun.inf files on all drives.

That's what they said in January, but this didn't act that way. I tested with
a stick and it didn't even see it. It also appears to be looking for exe and
dll files and attaches itself to them. MSSE apparently was able to remove the
attachments, but Avast couldn't. Those were the only two anti-malware
programs that even saw this.

Post by Ant
Yes, if a sample was available I could probably discover exactly what
it did (given a little time). Anyway, since so many infected files
were reported in an earlier post it's just as well he's doing a wipe
and reinstall.

Unfortunately that's where I'm going to have to go, or at least reinstall the
OS.

David H. Lipman

2010-07-28 23:18:24 UTC

Post by David H. Lipman
I have never heard of the "Ramnit" trojan. But, there are 100's of
thousands out there and it isn't a major family/player.

Post by David H. Lipman
I was actually hoping you may have had a sample you could have
uploaded to http://www.uploadmalware.com/

| Yes, if a sample was available I could probably discover exactly what
| it did (given a little time). Anyway, since so many infected files
| were reported in an earlier post it's just as well he's doing a wipe
| and reinstall.

Maybe I have some now Ant.

http://www.virustotal.com/analisis/ded3dae323a909c4752fa135de72cdc00ce0da3d1a5fd715fe536105a4da8cac-1280356012

http://www.virustotal.com/analisis/08b348341fb2a24d0ddf765afe7fedb171cdd7ab9dcfa5aab5dc6bfa3b2ce797-1280350307

I'll PM 'ya.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

Ant

2010-07-30 01:54:01 UTC

Post by David H. Lipman
Maybe I have some now Ant.
http://www.virustotal.com/analisis/ded3dae323a909c4752fa135de72cdc00ce0da3d1a5fd715fe536105a4da8cac-1280356012
http://www.virustotal.com/analisis/08b348341fb2a24d0ddf765afe7fedb171cdd7ab9dcfa5aab5dc6bfa3b2ce797-1280350307

Progress report:

Infected executables contain an extra section ".rmnet", which is about
48kb in size and contains the new entry point. When run, they drop a
45kb UPX'd exe in the current directory as [infected filename]Srv.exe,
run it and jump to the original entry point of the infected file which
can then run as normal.

The mutex "KyUffThOkYwRRtgPP" is used to ensure only one copy of the
infection is active at a time.

The dropped file creates a "Microsoft" subdirectory in the first
directory successfully written to, resolved from one of these
environment variables or API calls and in this order:

"%ProgramFiles%"
"%CommonProgramFiles%"
"%HOMEDRIVE%%HOMEPATH%"
"%APPDATA%"
GetSystemDirectoryA
GetWindowsDirectoryA

It then copies itself to that location as DesktopLayer.exe and runs
that. DesktopLayer then injects an embedded DLL somewhere using an odd
mechanism which I've yet to investigate.

The DLL creates multiple threads to keep modifying the Winlogon
registry key, contact the site fget-career.com, create autorun.inf
files, do something in the recycle bin and infect executables and html
documents. Other files likely to be created in directories of infected
files are dmlconf.dat and complete.dat.

I've yet to check the infection thread for the method of selecting
files for infection. Html files have VBScript appended to them with
the infector binary encoded as a hex string. When the document is
opened in a browser the binary is written to the user's temp directory
and run using WScript.Shell.

This is a variant of the one in the Symantec report and may or may not
be the same as D. Kaye's.

Ant

2010-07-30 02:01:50 UTC

Post by Ant
Html files have VBScript appended to them with
the infector binary encoded as a hex string. When the document is
opened in a browser the binary is written to the user's temp directory
and run using WScript.Shell.

The binary is saved as [user]\temp\svchost.exe

David H. Lipman

2010-07-30 02:10:03 UTC

| The binary is saved as [user]\temp\svchost.exe

Thank you Ant.

You 'da man! :-)

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

Ant

2010-07-31 15:50:15 UTC

Post by David H. Lipman
Thank you Ant.
You 'da man! :-)

As long as it's not a dot-net executable!

David Kaye

2010-07-30 23:56:57 UTC

Post by Ant
This is a variant of the one in the Symantec report and may or may not
be the same as D. Kaye's.

Thank you, Ant! This appears to be exactly the situation. There is the
Microsoft directory (in this case it's under Program Files) and the executable
is the same. The vbs was also there, which I found out about on a hunch when
I disabled the vb scripting engine and watched error messages come up left and
right.

What a nasty nasty infection.

FromTheRafters

2010-07-31 00:34:08 UTC

Post by David Kaye

Post by Ant
This is a variant of the one in the Symantec report and may or may not
be the same as D. Kaye's.

When the most up-to-date removal tools don't get the job done, you may
want to resort to this:

http://www.microsoft.com/emea/spotlight/sessionh.aspx?videoid=359

In case you've already seen this, it is Mark Russinovich's Advanced
Malware Cleaning video.

Virus Guy

2010-07-31 00:48:20 UTC

Post by FromTheRafters
When the most up-to-date removal tools don't get the job done,
http://www.microsoft.com/emea/spotlight/sessionh.aspx?videoid=359

We are sorry, the page you requested cannot be found.

David H. Lipman

2010-07-31 00:48:50 UTC

Post by FromTheRafters
When the most up-to-date removal tools don't get the job done,
http://www.microsoft.com/emea/spotlight/sessionh.aspx?videoid=359

| We are sorry, the page you requested cannot be found.

ditto

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

FromTheRafters

2010-07-31 01:08:37 UTC

Post by FromTheRafters
When the most up-to-date removal tools don't get the job done,
http://www.microsoft.com/emea/spotlight/sessionh.aspx?videoid=359

| We are sorry, the page you requested cannot be found.
ditto

Wow, that's a real shame. :-(

I'll look around a little, it's a good tutorial/presentation on the uses
of administrative tools against malware stickiness.

FromTheRafters

2010-07-31 01:13:14 UTC

Post by FromTheRafters
When the most up-to-date removal tools don't get the job done,
http://www.microsoft.com/emea/spotlight/sessionh.aspx?videoid=359

| We are sorry, the page you requested cannot be found.
ditto

I didn't watch it yet, but this may be it.

http://www.securitytube.net/Advanced-Malware-Removal-on-Windows-video.aspx

FromTheRafters

2010-07-31 01:24:03 UTC

Post by FromTheRafters

Post by FromTheRafters
When the most up-to-date removal tools don't get the job done,
http://www.microsoft.com/emea/spotlight/sessionh.aspx?videoid=359

| We are sorry, the page you requested cannot be found.
ditto

I didn't watch it yet, but this may be it.
http://www.securitytube.net/Advanced-Malware-Removal-on-Windows-video.aspx

Nevermind. I give up...

Whoever

2010-07-31 01:35:41 UTC

Post by FromTheRafters

Post by FromTheRafters
When the most up-to-date removal tools don't get the job done,
http://www.microsoft.com/emea/spotlight/sessionh.aspx?videoid=359

| We are sorry, the page you requested cannot be found.
ditto

I didn't watch it yet, but this may be it.
http://www.securitytube.net/Advanced-Malware-Removal-on-Windows-video.a
spx

Looks like it has been removed. Here is a page that lists a number of his
talks:

http://technet.microsoft.com/en-us/sysinternals/bb963887.aspx

Many of them are still available, though you need to use IE with
Silverlight installed in order to view them.

--
Don't bother trying to
contact me via email.

Ant

2010-07-31 15:54:18 UTC

Post by David Kaye
Thank you, Ant! This appears to be exactly the situation. There is the
Microsoft directory (in this case it's under Program Files) and the executable
is the same. The vbs was also there, which I found out about on a hunch when
I disabled the vb scripting engine and watched error messages come up left and
right.
What a nasty nasty infection.

Yes, nasty. It infects all candidate files on all drives with some
exceptions. However, it should be possible for a good AV to disinfect
files because it doesn't damage existing code.

More info on the infection mechanism...

It does NOT infect:-

1) Files in the windows directory and its subdirectories.

2) Any file or directory named "RMNetwork" (case sensitive).

3) Executables with a ".rmnet" section (this is the infection marker).

4) Executables which do not import the API functions "LoadLibraryA"
and "GetProcAddress". I don't know the reason for this but it means a
few will be left alone and all dot-net executables will be untouched.
Probably a larger percentage of DLLs will also be ok.

Otherwise it infects all files with the extension "exe", "dll", "html"
and "htm".

It creates hidden autorun.inf files on removeable drives only and
drops the infector (which autorun will launch) in a subdirectory of
RECYCLER. e.g, for a floppy drive:

A:\RECYCLER\S-0-1-44-0561634483-2060570468-336017572-1221##\ycIeXQMt.exe

The ## should probably be 2 random digits but in my test they were
invalid characters.

If the registy key HKEY_LOCAL_MACHINE\Software\WASAntidot is present
and has a value named "disable" it will skip the infection process and
pop up a messagebox: "Antidot is activate". However, it will still try
to call home and possibly download stuff.

A view of processes say, in Task Manager, on an infected system should
show an instance of your internet browser even if your browser is not
running. This is really the malicious code and injected DLL. The way
it achieves this is weird!

David Kaye

2010-07-28 01:30:29 UTC

Post by David H. Lipman
I have never heard of the "Ramnit" trojan. But, there are 100's of thousands out there
and it isn't a major family/player.

I wouldn't call it a trojan at this point because I don't know that it was
masquerading as anything else. It never showed a user interface. The
symptoms were hosed Internet connections, redirects, and excessive HD access.

It is either a virus or a worm. I can't figure out when it was originally
downloaded because some executables took on the date/time the OS was
originally installed, but I suspect it was concurrent with a Limewire or a
torrent connection of some kind, judging by the log files.

Virus Guy

2010-07-28 12:45:11 UTC

Post by David H. Lipman
BTW: I re-read this thread. Nowhere did I see anything about the
removal of the hard disk and scanning it with a surrogate platform
as suggested by Virus Guy. Whiles this can have drawbacks, it does
have the propensity of removing protected malware.

Perhaps one day, someone will write some Anti-malware software designed
to properly scan the registry and MBR and determine an auto-run list for
attached slaved drives.

jcdill

2010-07-27 15:53:48 UTC

Post by David Kaye
Sorry about the crosspost to ba.internet, but I know there are malware experts
out there.
Does anybody have EXPERIENCE with Win32/RAMNIT.A ?

No experience, but if I were in your shoes I'd start here:

<http://www.experts-exchange.com/Virus_and_Spyware/HijackThis/Q_26343474.html>

jc

~BD~

2010-07-27 17:09:22 UTC

Post by jcdill

Post by David Kaye
Sorry about the crosspost to ba.internet, but I know there are malware
experts out there.
Does anybody have EXPERIENCE with Win32/RAMNIT.A ?

<http://www.experts-exchange.com/Virus_and_Spyware/HijackThis/Q_26343474.html>
jc

I saw no answer to the 'Question' - but I did copy and paste the HJT log
into www.hijackthis.de - there were six questionable entries highlighted.

David Kaye

2010-07-27 20:27:38 UTC

Post by jcdill
<http://www.experts-exchange.com/Virus_and_Spyware/HijackThis/Q_26343474.html>

Been there, done that. Thanks anyway. I'm reinstalling Windows and the
programs this afternoon. I hate to do that. Oh well.

David H. Lipman

2010-07-27 20:35:40 UTC

Post by David Kaye
Sorry about the crosspost to ba.internet, but I know there are malware experts
out there.
Does anybody have EXPERIENCE with Win32/RAMNIT.A ?

| No experience, but if I were in your shoes I'd start here:

| <http://www.experts-exchange.com/Virus_and_Spyware/HijackThis/Q_26343474.html>

The problem is that may not be the same based upon the !HTML suffix which infers HTML code
and possibly exploitation rather than the actual infection.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

FromTheRafters

2010-07-28 00:02:51 UTC

Post by jcdill

Post by David Kaye
Sorry about the crosspost to ba.internet, but I know there are malware experts
out there.
Does anybody have EXPERIENCE with Win32/RAMNIT.A ?

|
<http://www.experts-exchange.com/Virus_and_Spyware/HijackThis/Q_26343474.html>
The problem is that may not be the same based upon the !HTML suffix which infers HTML code
and possibly exploitation rather than the actual infection.

It's a shame he couldn't provide you with a sample. His description of
symptoms doesn't exactly match up with what this malware is/does. This
could be new malware worm dropping ramnit.a as it finds new systems.

David Kaye

2010-07-28 01:08:29 UTC

Post by FromTheRafters
It's a shame he couldn't provide you with a sample. His description of
symptoms doesn't exactly match up with what this malware is/does. This
could be new malware worm dropping ramnit.a as it finds new systems.

What kind of sample? A sample of the malware? I'm loathe to provide that; I
don't want to be responsible for infecting any computers. I've already given
some filenames and directories.

But regardless of what names I provide, there is still something being
launched that I'm unaware of that is rebuilding the files I see. As
previously stated, I've removed the HD, scanned it for rootkits and malware
and reinstalled it and the stuff comes back.

Well, folks, thanks anyway. I'm just going to reinstall Windows, something I
seldom have to do. It's got me beat and I can't spend any more time on this
issue. I'm backed up in work again.

David H. Lipman

2010-07-28 01:39:42 UTC

| What kind of sample? A sample of the malware? I'm loathe to provide that; I
| don't want to be responsible for infecting any computers. I've already given
| some filenames and directories.

| But regardless of what names I provide, there is still something being
| launched that I'm unaware of that is rebuilding the files I see. As
| previously stated, I've removed the HD, scanned it for rootkits and malware
| and reinstalled it and the stuff comes back.

| Well, folks, thanks anyway. I'm just going to reinstall Windows, something I
| seldom have to do. It's got me beat and I can't spend any more time on this
| issue. I'm backed up in work again.

Providing a sample of malware to http://www.uploadmalware.com/ will *NOT* cause more
computers to be infected.
On the contrary, people who have access to the files are experienced at handling malware.
The culmination of all submissions get distributed to the listed anti malware companies.

Therefore, sample submission to UploadMalware leads to greater recognition of submitted
samples.

Vendor list:
http://www.uploadmalware.com/vendors.php

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

russg

2010-07-28 02:12:32 UTC

snip stuff about experienced posters only.

I come here to learn, and there are some experts here. The OP
considers himself an expert and only wants
talk to experts. I would say his final approach of wiping and re-
installing the OS (which he didn't mention),
but first trying to save .docs, mp3 and other important files, is the
only solution. I learned that RAMNIT.A
is a PE infector, infects other known files, like IE. Here's some
info at sophos.com:

http://www.sophos.com/security/analyses/viruses-and-spyware/w32patchedi.html?_log_from=rss

The OP knows the name of the malware, so he must have submitted a
sample somewhere.

David H. Lipman

2010-07-28 02:21:35 UTC

From: "russg" <***@sbcglobal.net>

| snip stuff about experienced posters only.

| I come here to learn, and there are some experts here. The OP
| considers himself an expert and only wants
| talk to experts. I would say his final approach of wiping and re-
| installing the OS (which he didn't mention),
| but first trying to save .docs, mp3 and other important files, is the
| only solution. I learned that RAMNIT.A
| is a PE infector, infects other known files, like IE. Here's some
| info at sophos.com:

| http://www.sophos.com/security/analyses/viruses-and-spyware/w32patchedi.html?_log_from=
| rss

| The OP knows the name of the malware, so he must have submitted a
| sample somewhere.

From Dave's first post...
"Does anybody have EXPERIENCE with Win32/RAMNIT.A ? I'm having a devil of a
time removing it. The only tool the detects it consistently is MS Security
Essentials, and MSSE keeps counting it and "disinfecting" it."

He didn't submit a sample somewhere, MSE scanned the system, detected it
(Win32/RAMNIT.A ), but MSE failed to full remove and clean the system of it. Dave also
indicated he tried Avast to no avail.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

RJK

2010-07-28 06:17:40 UTC

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:***@news2.newsguy.com...
From: "russg" <***@sbcglobal.net>

| snip stuff about experienced posters only.

| I come here to learn, and there are some experts here. The OP
| considers himself an expert and only wants
| talk to experts. I would say his final approach of wiping and re-
| installing the OS (which he didn't mention),
| but first trying to save .docs, mp3 and other important files, is the
| only solution. I learned that RAMNIT.A
| is a PE infector, infects other known files, like IE. Here's some
| info at sophos.com:

| http://www.sophos.com/security/analyses/viruses-and-spyware/w32patchedi.html?_log_from=
| rss

| The OP knows the name of the malware, so he must have submitted a
| sample somewhere.

From Dave's first post...
"Does anybody have EXPERIENCE with Win32/RAMNIT.A ? I'm having a devil of a
time removing it. The only tool the detects it consistently is MS Security
Essentials, and MSSE keeps counting it and "disinfecting" it."

He didn't submit a sample somewhere, MSE scanned the system, detected it
(Win32/RAMNIT.A ), but MSE failed to full remove and clean the system of it. Dave also
indicated he tried Avast to no avail.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

Having cast my eye through this post, I think I would have given PrevX a go :-)
...and having read http://www.symantec.com/security_response/writeup.jsp?docid=2008-011517-3725-99
...I think (seeing as Sophos is armed against it), I'd try Sophos CLS from Bart PE cd :-)
regards, Richard

John Slade

2010-07-29 04:41:59 UTC

Post by David H. Lipman
| snip stuff about experienced posters only.
| I come here to learn, and there are some experts here. The OP
| considers himself an expert and only wants
| talk to experts. I would say his final approach of wiping and re-
| installing the OS (which he didn't mention),
| but first trying to save .docs, mp3 and other important files, is the
| only solution. I learned that RAMNIT.A
| is a PE infector, infects other known files, like IE. Here's some
|
http://www.sophos.com/security/analyses/viruses-and-spyware/w32patchedi.html?_log_from=
| rss
| The OP knows the name of the malware, so he must have submitted a
| sample somewhere.
From Dave's first post...
"Does anybody have EXPERIENCE with Win32/RAMNIT.A ? I'm having a
devil of a
time removing it. The only tool the detects it consistently is MS
Security
Essentials, and MSSE keeps counting it and "disinfecting" it."
He didn't submit a sample somewhere, MSE scanned the system, detected it
(Win32/RAMNIT.A ), but MSE failed to full remove and clean the
system of it. Dave also
indicated he tried Avast to no avail.
--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
Having cast my eye through this post, I think I would have given PrevX a go :-)
...and having read
http://www.symantec.com/security_response/writeup.jsp?docid=2008-011517-3725-99
...I think (seeing as Sophos is armed against it), I'd try Sophos
CLS from Bart PE cd :-)
regards, Richard

It seems the information I found on this worm is that it
probably hides in the "system volume information" folder that is
"read only" and "hidden" by default. The worm just keeps getting
reinstalled and can't be cleaned unless the permissions are
changed for that folder. The information on this site links to
instructions for cleaning RAMNIT.A.

http://www.ca.com/securityadvisor/virusinfo/virus.aspx?id=81059

This links to information on how to disable "system
restore" in order to remove the infection. It may be possible to
use some offline scanner like BitDefender to remove the worm but
it's better done in Windows.

John

David H. Lipman

2010-07-29 10:24:17 UTC

| It seems the information I found on this worm is that it
| probably hides in the "system volume information" folder that is
| "read only" and "hidden" by default. The worm just keeps getting
| reinstalled and can't be cleaned unless the permissions are
| changed for that folder. The information on this site links to
| instructions for cleaning RAMNIT.A.

| http://www.ca.com/securityadvisor/virusinfo/virus.aspx?id=81059

| This links to information on how to disable "system
| restore" in order to remove the infection. It may be possible to
| use some offline scanner like BitDefender to remove the worm but
| it's better done in Windows.

Sorry, you are mis-interpreting the information.

Malware doesn't "hide" in the "system volume information" folder. That is where the
System Resore cache resides. What they are talking about is removing restore points such
that you won't re-infect the PC if you restore the PC from a restore point that had made
in an infected condition.

Howver, I have learned that ist is NOT a good idea to dump the System Restore cache while
cleaning a PC. It is better to have an infected, working, PC than to have a a PC that may
be unstable and you can't restore the PC to a stable but infected condition. Once the PC
is thouroughly cleaned and verified and is stable then you you can dump the System Restore
cache.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

John Slade

2010-07-29 18:07:28 UTC

Post by David H. Lipman
| snip stuff about experienced posters only.
| I come here to learn, and there are some experts here. The OP
| considers himself an expert and only wants
| talk to experts. I would say his final approach of wiping and re-
| installing the OS (which he didn't mention),
| but first trying to save .docs, mp3 and other important files, is the
| only solution. I learned that RAMNIT.A
| is a PE infector, infects other known files, like IE. Here's some
|
http://www.sophos.com/security/analyses/viruses-and-spyware/w32patchedi.html?_log_from=
| rss
| The OP knows the name of the malware, so he must have submitted a
| sample somewhere.
From Dave's first post...
"Does anybody have EXPERIENCE with Win32/RAMNIT.A ? I'm having a
devil of a
time removing it. The only tool the detects it consistently is MS
Security
Essentials, and MSSE keeps counting it and "disinfecting" it."
He didn't submit a sample somewhere, MSE scanned the system, detected it
(Win32/RAMNIT.A ), but MSE failed to full remove and clean the
system of it. Dave also
indicated he tried Avast to no avail.
--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
Having cast my eye through this post, I think I would have given
PrevX a go :-)
...and having read
http://www.symantec.com/security_response/writeup.jsp?docid=2008-011517-3725-99
...I think (seeing as Sophos is armed against it), I'd try Sophos
CLS from Bart PE cd :-)
regards, Richard

| It seems the information I found on this worm is that it
| probably hides in the "system volume information" folder that is
| "read only" and "hidden" by default. The worm just keeps getting
| reinstalled and can't be cleaned unless the permissions are
| changed for that folder. The information on this site links to
| instructions for cleaning RAMNIT.A.
| http://www.ca.com/securityadvisor/virusinfo/virus.aspx?id=81059
| This links to information on how to disable "system
| restore" in order to remove the infection. It may be possible to
| use some offline scanner like BitDefender to remove the worm but
| it's better done in Windows.
Sorry, you are mis-interpreting the information.
Malware doesn't "hide" in the "system volume information" folder. That is where the
System Resore cache resides. What they are talking about is removing restore points such
that you won't re-infect the PC if you restore the PC from a restore point that had made
in an infected condition.

Some malware specifically uses the "system volume
information" folder to reinfect the computer. It will infect
multiple restore points even those that were there before the
particular worm was introduced. I've had some experience with these.

Post by David H. Lipman
Howver, I have learned that ist is NOT a good idea to dump the System Restore cache while
cleaning a PC. It is better to have an infected, working, PC than to have a a PC that may
be unstable and you can't restore the PC to a stable but infected condition. Once the PC
is thouroughly cleaned and verified and is stable then you you can dump the System Restore
cache.

This is one reason us PROFESSIONALS do a complete drive
backup before we remove the infection in this way. That way if
something goes wrong, you can always go back to the beginning.

It's possible to allow writing to the folder in question.
I have cleaned a few computers in this way and I usually find
that the restore points are not worth saving. I've had
absolutely no systems lost due to cleaning out the system
restore points. Never lost one and never needed to use the
backup on these types of infections. I find it better to have a
professional do the malware removal than someone who risks
loosing everything because they're afraid to remove the restore
caches.

John

David H. Lipman

2010-07-29 20:40:47 UTC

Post by David H. Lipman
| snip stuff about experienced posters only.
| I come here to learn, and there are some experts here. The OP
| considers himself an expert and only wants
| talk to experts. I would say his final approach of wiping and re-
| installing the OS (which he didn't mention),
| but first trying to save .docs, mp3 and other important files, is the
| only solution. I learned that RAMNIT.A
| is a PE infector, infects other known files, like IE. Here's some
|
http://www.sophos.com/security/analyses/viruses-and-spyware/w32patchedi.html?_log_
from=
| rss
| The OP knows the name of the malware, so he must have submitted a
| sample somewhere.
From Dave's first post...
"Does anybody have EXPERIENCE with Win32/RAMNIT.A ? I'm having a
devil of a
time removing it. The only tool the detects it consistently is MS
Security
Essentials, and MSSE keeps counting it and "disinfecting" it."
He didn't submit a sample somewhere, MSE scanned the system, detected it
(Win32/RAMNIT.A ), but MSE failed to full remove and clean the
system of it. Dave also
indicated he tried Avast to no avail.
--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
Having cast my eye through this post, I think I would have given
PrevX a go :-)
...and having read
http://www.symantec.com/security_response/writeup.jsp?docid=2008-011517-3725-99
...I think (seeing as Sophos is armed against it), I'd try Sophos
CLS from Bart PE cd :-)
regards, Richard

| It seems the information I found on this worm is that it
| probably hides in the "system volume information" folder that is
| "read only" and "hidden" by default. The worm just keeps getting
| reinstalled and can't be cleaned unless the permissions are
| changed for that folder. The information on this site links to
| instructions for cleaning RAMNIT.A.
| http://www.ca.com/securityadvisor/virusinfo/virus.aspx?id=81059
| This links to information on how to disable "system
| restore" in order to remove the infection. It may be possible to
| use some offline scanner like BitDefender to remove the worm but
| it's better done in Windows.
Sorry, you are mis-interpreting the information.
Malware doesn't "hide" in the "system volume information" folder. That is where the
System Resore cache resides. What they are talking about is removing restore points such
that you won't re-infect the PC if you restore the PC from a restore point that had made
in an infected condition.

| Some malware specifically uses the "system volume
| information" folder to reinfect the computer. It will infect
| multiple restore points even those that were there before the
| particular worm was introduced. I've had some experience with these.

Post by David H. Lipman
Howver, I have learned that ist is NOT a good idea to dump the System Restore cache while
cleaning a PC. It is better to have an infected, working, PC than to have a a PC that
may
be unstable and you can't restore the PC to a stable but infected condition. Once the PC
is thouroughly cleaned and verified and is stable then you you can dump the System
Restore
cache.

| This is one reason us PROFESSIONALS do a complete drive
| backup before we remove the infection in this way. That way if
| something goes wrong, you can always go back to the beginning.

| It's possible to allow writing to the folder in question.
| I have cleaned a few computers in this way and I usually find
| that the restore points are not worth saving. I've had
| absolutely no systems lost due to cleaning out the system
| restore points. Never lost one and never needed to use the
| backup on these types of infections. I find it better to have a
| professional do the malware removal than someone who risks
| loosing everything because they're afraid to remove the restore
| caches.

| John

You said...
"Some malware specifically uses the "system volume information" folder to reinfect the
computer."

Since you also stated "...us PROFESSIONALS...".
What is that malware spaecifically. You should know it or it should be in your notes.
I'd like to know what it is you are referring to.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

John Slade

2010-07-30 00:28:24 UTC

Post by David H. Lipman
| snip stuff about experienced posters only.
| I come here to learn, and there are some experts here. The OP
| considers himself an expert and only wants
| talk to experts. I would say his final approach of wiping and re-
| installing the OS (which he didn't mention),
| but first trying to save .docs, mp3 and other important files, is the
| only solution. I learned that RAMNIT.A
| is a PE infector, infects other known files, like IE. Here's some
|
http://www.sophos.com/security/analyses/viruses-and-spyware/w32patchedi.html?_log_
from=
| rss
| The OP knows the name of the malware, so he must have submitted a
| sample somewhere.
From Dave's first post...
"Does anybody have EXPERIENCE with Win32/RAMNIT.A ? I'm having a
devil of a
time removing it. The only tool the detects it consistently is MS
Security
Essentials, and MSSE keeps counting it and "disinfecting" it."
He didn't submit a sample somewhere, MSE scanned the system,
detected it
(Win32/RAMNIT.A ), but MSE failed to full remove and clean the
system of it. Dave also
indicated he tried Avast to no avail.
--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
Having cast my eye through this post, I think I would have given
PrevX a go :-)
...and having read
http://www.symantec.com/security_response/writeup.jsp?docid=2008-011517-3725-99
...I think (seeing as Sophos is armed against it), I'd try Sophos
CLS from Bart PE cd :-)
regards, Richard

| It seems the information I found on this worm is that it
| probably hides in the "system volume information" folder that is
| "read only" and "hidden" by default. The worm just keeps getting
| reinstalled and can't be cleaned unless the permissions are
| changed for that folder. The information on this site links to
| instructions for cleaning RAMNIT.A.
| http://www.ca.com/securityadvisor/virusinfo/virus.aspx?id=81059
| This links to information on how to disable "system
| restore" in order to remove the infection. It may be possible to
| use some offline scanner like BitDefender to remove the worm but
| it's better done in Windows.
Sorry, you are mis-interpreting the information.
Malware doesn't "hide" in the "system volume information" folder. That is where the
System Resore cache resides. What they are talking about is removing restore points
such
that you won't re-infect the PC if you restore the PC from a restore point that had
made
in an infected condition.

Post by David H. Lipman
Howver, I have learned that ist is NOT a good idea to dump the System Restore cache
while
cleaning a PC. It is better to have an infected, working, PC than to have a a PC that
may
be unstable and you can't restore the PC to a stable but infected condition. Once the
PC
is thouroughly cleaned and verified and is stable then you you can dump the System
Restore
cache.

| This is one reason us PROFESSIONALS do a complete drive
| backup before we remove the infection in this way. That way if
| something goes wrong, you can always go back to the beginning.
| It's possible to allow writing to the folder in question.
| I have cleaned a few computers in this way and I usually find
| that the restore points are not worth saving. I've had
| absolutely no systems lost due to cleaning out the system
| restore points. Never lost one and never needed to use the
| backup on these types of infections. I find it better to have a
| professional do the malware removal than someone who risks
| loosing everything because they're afraid to remove the restore
| caches.
| John
You said...
"Some malware specifically uses the "system volume information" folder to reinfect the
computer."

Yes that's exactly what I said. One think I've noticed
from 25 years of seeing malware is that the writers of malware
will use anything and everything to infect a system. They will
make it hard as possible to remove them too.

Post by David H. Lipman
Since you also stated "...us PROFESSIONALS...".

The professional thing to do is make a backup so you can
do what needs to be done to repair the system. I don't usually
hear other professionals say afraid to do something as simple as
removing restore points to repair a system.

Post by David H. Lipman
What is that malware spaecifically. You should know it or it should be in your notes.

I don't remember the exact name of the worms and trojans
as it was over a year ago when I removed the last one. There are
so many variants of existing malware and new malware out there.
As for my notes, I don't need notes on specific malware I just
do what it takes to remove whatever it is. My notes deal mostly
with behavior of the malware and what it takes to remove it.
However I still have the scanner logs I did then and I'll look
through them. You should also know that scanners can find
malware and not give it a name because it detects signatures and
behavior. The particular malware may not be in the database as yet.

You should know there is malware out there that will
trash the registry and it's backup. It will require some sort of
reinstall to get the system back working. I found it very rare
that I need to do a full reformat and reinstall because of
malware. Some malware will also corrupt system files and when
you remove them with scanners, it will make the installation
unbootable. This is yet another reason professionals will make a
backup if possible before removing infections.

I know there are a lot of fly-by-night computer repair
people who are just there to do a quick fix and get paid, I find
myself cleaning up after a lot of them.

John

Dustin

2010-07-31 23:21:35 UTC

Post by David H. Lipman
et>>
| snip stuff about experienced posters only.
| I come here to learn, and there are some experts here.
| The OP considers himself an expert and only wants
| talk to experts. I would say his final approach of
| wiping and re- installing the OS (which he didn't
| mention), but first trying to save .docs, mp3 and other
| important files, is the only solution. I learned that
| RAMNIT.A is a PE infector, infects other known files,
|
http://www.sophos.com/security/analyses/viruses-and-spyware/w32p
atchedi.html?_log_ from=
| rss
| The OP knows the name of the malware, so he must have
| submitted a sample somewhere.
From Dave's first post...
"Does anybody have EXPERIENCE with Win32/RAMNIT.A ? I'm
having a devil of a
time removing it. The only tool the detects it
consistently is MS Security
Essentials, and MSSE keeps counting it and "disinfecting" it."
He didn't submit a sample somewhere, MSE scanned the
system, detected it
(Win32/RAMNIT.A ), but MSE failed to full remove and
clean the system of it. Dave also
indicated he tried Avast to no avail.
--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
Having cast my eye through this post, I think I would
have given PrevX a go :-)
...and having read
http://www.symantec.com/security_response/writeup.jsp?doci
d=2008-011517-3725-99
...I think (seeing as Sophos is armed against it), I'd
try Sophos CLS from Bart PE cd :-)
regards, Richard

| It seems the information I found on this worm is that it
| probably hides in the "system volume information" folder that
| is "read only" and "hidden" by default. The worm just keeps
| getting reinstalled and can't be cleaned unless the permissions
| are changed for that folder. The information on this site links
| to instructions for cleaning RAMNIT.A.
| http://www.ca.com/securityadvisor/virusinfo/virus.aspx?id=81059
| This links to information on how to disable "system
| restore" in order to remove the infection. It may be possible
| to use some offline scanner like BitDefender to remove the worm
| but it's better done in Windows.
Sorry, you are mis-interpreting the information.
Malware doesn't "hide" in the "system volume information" folder.
That is where the System Resore cache resides. What they are
talking about is removing restore points such
that you won't re-infect the PC if you restore the PC from a
restore point that had made
in an infected condition.

Post by David H. Lipman
Howver, I have learned that ist is NOT a good idea to dump the
System Restore cache while
cleaning a PC. It is better to have an infected, working, PC
than to have a a PC that may
be unstable and you can't restore the PC to a stable but infected
condition. Once the PC
is thouroughly cleaned and verified and is stable then you you
can dump the System Restore
cache.

| This is one reason us PROFESSIONALS do a complete drive
| backup before we remove the infection in this way. That way if
| something goes wrong, you can always go back to the beginning.
| It's possible to allow writing to the folder in question.
| I have cleaned a few computers in this way and I usually find
| that the restore points are not worth saving. I've had
| absolutely no systems lost due to cleaning out the system
| restore points. Never lost one and never needed to use the
| backup on these types of infections. I find it better to have a
| professional do the malware removal than someone who risks
| loosing everything because they're afraid to remove the restore
| caches.
| John
You said...
"Some malware specifically uses the "system volume information"
folder to reinfect the computer."

Post by David H. Lipman
Since you also stated "...us PROFESSIONALS...".

Post by David H. Lipman
What is that malware spaecifically. You should know it or it
should be in your notes.

Wow. I had no idea.. /sarcasm.

Post by John Slade
You should know there is malware out there that will
trash the registry and it's backup. It will require some sort of
reinstall to get the system back working. I found it very rare
that I need to do a full reformat and reinstall because of
malware. Some malware will also corrupt system files and when
you remove them with scanners, it will make the installation
unbootable. This is yet another reason professionals will make a
backup if possible before removing infections.

What software do you use for the backup? Are you storing the backup on
read only media or a hard drive that could fail for any reason?

Post by John Slade
I know there are a lot of fly-by-night computer repair
people who are just there to do a quick fix and get paid, I find
myself cleaning up after a lot of them.

I've encountered a few of those in my time as well.... I enjoy the work
they provide me tho. Tell me something, John, as a PROFESSIONAL, have
you written any of the tools you use for cleanup; or do you use the
work others have written, such as myself, David lipman and many others?

--
"I like your Christ. I don't like your Christians. They are so unlike
your Christ." - author unknown.

John Slade

2010-08-01 04:09:01 UTC

What software do you use for the backup?

I will either use Acronis' or Paragon's backup software
depending on the situation.

Post by Dustin
Are you storing the backup on
read only media or a hard drive that could fail for any reason?

You mean WORM(Write Once/Read Many) media don't you? That
media can fail also. No media is perfect. I store the backup on
business or enterprise grade HDs and will transfer to other
media if the customer wants that backup. If it's a large backup
they will have to pay me for it. Tell me what software and
hardware would you use to backup your customer's HD before you
start removing malware?

Post by John Slade
I know there are a lot of fly-by-night computer repair
people who are just there to do a quick fix and get paid, I find
myself cleaning up after a lot of them.

I've encountered a few of those in my time as well.... I enjoy the work
they provide me tho.

Me too. I especially get a kick out of the ones who don't
do backups and leave various screws out.

Post by Dustin
Tell me something, John, as a PROFESSIONAL, have
you written any of the tools you use for cleanup; or do you use the
work others have written, such as myself, David lipman and many others?

For the record, I'm not trying to get into some pissing
contest. I was just making a suggestion as to how to fix the
problem laid out in the OP.

I use software others have written. I'm not a software
engineer. I'm a professional computer repair person. I find that
competence in one profession such as software engineering
doesn't translate into something else like tech support. I've
been repairing computers for close to 25 years and have learned
a lot. One thing I've learned is a backup saves a lot of trouble
and allows for different approaches to be tried.

So tell me what products have you and David Lipman
written and where can I check them out?

John

Dustin

2010-08-01 15:24:30 UTC

What software do you use for the backup?

I will either use Acronis' or Paragon's backup software
depending on the situation.

Post by Dustin
Are you storing the backup on
read only media or a hard drive that could fail for any reason?

I haven't heard the acronym WORM in years... Damn, you have been around
a long time. :) I was thinking of cd-r or perhaps dvd-r material.

It depends. When I was working at a computer shop; I'd either use
norton ghost corp edition or the hardware drive cloning device we had
at the time. I really didn't see much point in cloning a malware drive
for malware removal; I wasn't stupid enough to trash my backups of the
registry or important files. besides, I wrote several utilities to
assist me in verifying various windows dll/exe files were still intact
and okay for reuse.

We would typically reserve cloning drives for hardware failure signs.
Although, a customer could have us clone a drive for a malware issue if
they so desired. By default, we always copied docs, favorites, emails
etc before doing anything... But, you know, different places have
different policies.

Why do you spend the additional time to clone an entire drive for a
malware removal job?

Post by John Slade
I know there are a lot of fly-by-night computer repair
people who are just there to do a quick fix and get paid, I find
myself cleaning up after a lot of them.

I've encountered a few of those in my time as well.... I enjoy the
work they provide me tho.

Me too. I especially get a kick out of the ones who don't
do backups and leave various screws out.

Or, use the wrong screws and strip one of the drives :)

For the record, I'm not trying to get into some pissing
contest. I was just making a suggestion as to how to fix the
problem laid out in the OP.

I understand. It just seemed as if you were being a wiseass towards
David, from my POV. I didn't personally see any need in doing that. We
can all be professional and civil here.

Post by John Slade
I use software others have written. I'm not a software
engineer. I'm a professional computer repair person. I find that
competence in one profession such as software engineering
doesn't translate into something else like tech support. I've
been repairing computers for close to 25 years and have learned
a lot. One thing I've learned is a backup saves a lot of trouble
and allows for different approaches to be tried.

Well, a backup is a good way of having an escape route should something
go wrong. :) From a software aspect tho, I haven't really encountered
much malware that would justify the time I spent on imaging the drive
first. I wasn't in charge of billing tho, so that may have played a
part in that.

Post by John Slade
So tell me what products have you and David Lipman
written and where can I check them out?

I've written all kinds of old utility style apps, as you've been around
so long you might know a few of them.. Cmoscon, encode, delock, and
various others. If your into crypto/security, you might even know the
old dos file/freespace wiping app called NuKE and/or possibly CryptX.

In more recent times, I developed an antimalware scanner (that's why I
found your description on how they worked amusing. hehehe) called
BugHunter. I did a stint as a malware researcher for an app called
Malwarebytes antimalware..

Like yourself, I've been repairing pcs professionally for over 15 years
now; you have ten years on me, but I have programming skills on you.
*g*.

--
"I like your Christ. I don't like your Christians. They are so unlike
your Christ." - author unknown.

John Slade

2010-08-01 19:17:58 UTC

What software do you use for the backup?

I will either use Acronis' or Paragon's backup software
depending on the situation.

Post by Dustin
Are you storing the backup on
read only media or a hard drive that could fail for any reason?

I haven't heard the acronym WORM in years... Damn, you have been around
a long time. :) I was thinking of cd-r or perhaps dvd-r material.

It would be OK for DVD-R if the backup is small. But
swapping 20 or more DVDs is a pain.

Post by Dustin
It depends. When I was working at a computer shop; I'd either use
norton ghost corp edition or the hardware drive cloning device we had
at the time.

I rarely use Ghost these days, it used to be the only
thing I ever used.

Post by Dustin
I really didn't see much point in cloning a malware drive
for malware removal; I wasn't stupid enough to trash my backups of the
registry or important files. besides, I wrote several utilities to
assist me in verifying various windows dll/exe files were still intact
and okay for reuse.

Yea that's good for you, but when you're working for
someone else and they have important data they want to save, I
will backup. Most of the time the customer doesn't have a
backup. A lot of times the customer has a HD that's five or six
years old and they really need a backup done. Then there are the
times when I'm working for a young person and they don't want a
backup they just want the drive wiped and they want the OS
installed.

Post by Dustin
We would typically reserve cloning drives for hardware failure signs.
Although, a customer could have us clone a drive for a malware issue if
they so desired. By default, we always copied docs, favorites, emails
etc before doing anything... But, you know, different places have
different policies.

I work mostly with home users and small businesses and a
lot of times they have personal stuff they want to save. So I'll
do a quick backup of that data and then I'll do the full backup.
Sometimes they just want a reinstall. There are times when they
tell me not to backup because the data isn't important. In
David's response he seems worried about saving data so I
wondered why he wouldn't backup.

Post by Dustin
Why do you spend the additional time to clone an entire drive for a
malware removal job?

It doesn't take that long most of the time and it's a lot
safer for the user's data. In most cases it actually takes
longer to install, upgrade and reinstall software for the
customer. Most of the time I backup less than 150GB.

Post by John Slade
I know there are a lot of fly-by-night computer repair
people who are just there to do a quick fix and get paid, I find
myself cleaning up after a lot of them.

I've encountered a few of those in my time as well.... I enjoy the
work they provide me tho.

Me too. I especially get a kick out of the ones who don't
do backups and leave various screws out.

Or, use the wrong screws and strip one of the drives :)

For the record, I'm not trying to get into some pissing
contest. I was just making a suggestion as to how to fix the
problem laid out in the OP.

I understand. It just seemed as if you were being a wiseass towards
David, from my POV. I didn't personally see any need in doing that. We
can all be professional and civil here.

David was being a wiseass himself and I can understand why
he didn't respond. He seemed worried about losing data by simply
removing the system restore points so I naturally wondered why,
a backup can solve this problem. I guess he realized it was a
good idea so then he got snippy.

I don't work for any company I work freelance. Like I said
most backups are small and usually take from 20 minutes to a
couple of hours. I don't charge by the hour I charge by the job.

Post by John Slade
So tell me what products have you and David Lipman
written and where can I check them out?

I've heard of some of those.

Post by Dustin
In more recent times, I developed an antimalware scanner (that's why I
found your description on how they worked amusing. hehehe) called
BugHunter. I did a stint as a malware researcher for an app called
Malwarebytes antimalware..

I don't know why you would find it funny because a
virus writer will use anything to hide a virus. What smarter way
is to hide them in each and every folder in "system volume
information"? I do believe that what the system had was a
variant of the Virtumonde trojan. If you did research on malware
then you know virus writers will take existing malware and
modify it. I found one thing to be true in the world of malware,
NOBODY knows everything about every malware variant out there.
You can believe me or not, it doesn't matter.

John

~BD~

2010-08-01 21:46:21 UTC

What software do you use for the backup?

I will either use Acronis' or Paragon's backup software
depending on the situation.

Post by Dustin
Are you storing the backup on
read only media or a hard drive that could fail for any reason?

I haven't heard the acronym WORM in years... Damn, you have been around
a long time. :) I was thinking of cd-r or perhaps dvd-r material.

It would be OK for DVD-R if the backup is small. But swapping 20 or more
DVDs is a pain.

Post by Dustin
It depends. When I was working at a computer shop; I'd either use
norton ghost corp edition or the hardware drive cloning device we had
at the time.

I rarely use Ghost these days, it used to be the only thing I ever used.

Yea that's good for you, but when you're working for someone else and
they have important data they want to save, I will backup. Most of the
time the customer doesn't have a backup. A lot of times the customer has
a HD that's five or six years old and they really need a backup done.
Then there are the times when I'm working for a young person and they
don't want a backup they just want the drive wiped and they want the OS
installed.

I work mostly with home users and small businesses and a lot of times
they have personal stuff they want to save. So I'll do a quick backup of
that data and then I'll do the full backup. Sometimes they just want a
reinstall. There are times when they tell me not to backup because the
data isn't important. In David's response he seems worried about saving
data so I wondered why he wouldn't backup.

Post by Dustin
Why do you spend the additional time to clone an entire drive for a
malware removal job?

It doesn't take that long most of the time and it's a lot safer for the
user's data. In most cases it actually takes longer to install, upgrade
and reinstall software for the customer. Most of the time I backup less
than 150GB.

Post by John Slade
I know there are a lot of fly-by-night computer repair
people who are just there to do a quick fix and get paid, I find
myself cleaning up after a lot of them.

I've encountered a few of those in my time as well.... I enjoy the
work they provide me tho.

Me too. I especially get a kick out of the ones who don't
do backups and leave various screws out.

Or, use the wrong screws and strip one of the drives :)

For the record, I'm not trying to get into some pissing
contest. I was just making a suggestion as to how to fix the
problem laid out in the OP.

I understand. It just seemed as if you were being a wiseass towards
David, from my POV. I didn't personally see any need in doing that. We
can all be professional and civil here.

David was being a wiseass himself and I can understand why he didn't
respond. He seemed worried about losing data by simply removing the
system restore points so I naturally wondered why, a backup can solve
this problem. I guess he realized it was a good idea so then he got snippy.

I don't work for any company I work freelance. Like I said most backups
are small and usually take from 20 minutes to a couple of hours. I don't
charge by the hour I charge by the job.

Post by John Slade
So tell me what products have you and David Lipman
written and where can I check them out?

I've heard of some of those.

I don't know why you would find it funny because a virus writer will use
anything to hide a virus. What smarter way is to hide them in each and
every folder in "system volume information"? I do believe that what the
system had was a variant of the Virtumonde trojan. If you did research
on malware then you know virus writers will take existing malware and
modify it. I found one thing to be true in the world of malware, NOBODY
knows everything about every malware variant out there. You can believe
me or not, it doesn't matter.
John

You do appreciate that Dustin Cook was once a virus writer himself,
don't you, John?

There is school of thought that suggests that once a computer has been
compromised, one can never be *certain* that it is clean - and that it
is always best to re-install the operating system ...... on a formatted
hard disk, wiping out all partitions first.

I'm just a user - but that's how I think too! ;-)

--
Dave - I've enjoyed reviewing John's posts!

~BD~

2010-08-01 21:51:05 UTC

~BD~ forgot to add the link showing support for his view!

http://technet.microsoft.com/en-us/library/cc512587.aspx

Buffalo

2010-08-01 22:21:14 UTC

Post by ~BD~
~BD~ forgot to add the link showing support for his view!
http://technet.microsoft.com/en-us/library/cc512587.aspx

Finally, you clipped all the crap!!! Yippee!!!
Buffalo

John Slade

2010-08-02 00:47:05 UTC

Post by Buffalo

Post by ~BD~
~BD~ forgot to add the link showing support for his view!
http://technet.microsoft.com/en-us/library/cc512587.aspx

Finally, you clipped all the crap!!! Yippee!!!
Buffalo

I was thinking the same exact thing.

John

FromTheRafters

2010-08-02 00:38:43 UTC

Post by ~BD~
~BD~ forgot to add the link showing support for his view!
http://technet.microsoft.com/en-us/library/cc512587.aspx

He added a qualifier here:

"If you have a system that has been completely compromised, the only thing
you can do is to flatten the system (reformat the system disk) and rebuild
it from scratch (reinstall Windows and your applications)."

I can agree with that. The thing is, what do you consider to be a compromise
and what do you consider to be a complete compromise?

If I discover a downloader downloaded some adware, I might just remove the
adware. If it downloaded some various and sundry other malware then the
"unknown" factor becomes prevalent - and flatten and rebuild becomes the
best route. A known trojan application for fake-AV scareware probably
doesn't require such drastic measures. If I figure the ingress vector was a,
since patched, vulnerability exploit worm, I wouldn't just automatically
assume that hackers have also used that exploits zero-day window to increase
the "unknown" factor - I would just address the worm.

Not that he's wrong, a healthy paranoia is a good security asset. The value
of the protected resource figures in heavily as well.

ASCII

2010-08-01 21:58:31 UTC

Post by ~BD~
You do appreciate that Dustin Cook was once a virus writer himself,
don't you, John?

Your use of the word "was" suggests that he indeed did once fall into that
category, and further that he no longer does.
Is that assumption based upon acceptance of his statements offered in a forum
in which he himself has admitted to lying?

Dustin

2010-08-01 22:11:34 UTC

Post by ASCII

Post by ~BD~
You do appreciate that Dustin Cook was once a virus writer himself,
don't you, John?

Your use of the word "was" suggests that he indeed did once fall
into that category, and further that he no longer does.

Can you prove otherwise?

Post by ASCII
Is that assumption based upon acceptance of his statements offered
in a forum in which he himself has admitted to lying?

You don't have to accept my statements, just find one virus after the
year 2000 that you can link to me and you win. Or, option B, accept the
fact you won't be able to do that because I haven't written anything
virus related since Irok. Your choice. Either way, I still win.

--
"I like your Christ. I don't like your Christians. They are so unlike
your Christ." - author unknown.

ASCII

2010-08-02 03:03:07 UTC

Post by ASCII

Post by ~BD~
You do appreciate that Dustin Cook was once a virus writer himself,
don't you, John?

Your use of the word "was" suggests that he indeed did once fall
into that category, and further that he no longer does.

Can you prove otherwise?

I was commenting on Dave's statement and
any substantiating evidence for its veracity.
He made the statement
based on some other statement made by you
which may or may not be valid.

Post by ASCII
Is that assumption based upon acceptance of his statements offered
in a forum in which he himself has admitted to lying?

Dave is the one that ostensibly accepted your claims,
I only offered a point of reconsideration.
I'm not looking for any virii regardless of provenance.

Dustin

2010-08-01 22:05:44 UTC

Post by John Slade
You should know there is malware out there that will
trash the registry and it's backup. It will require some sort
of reinstall to get the system back working. I found it very
rare that I need to do a full reformat and reinstall because of
malware. Some malware will also corrupt system files and when
you remove them with scanners, it will make the installation
unbootable. This is yet another reason professionals will make
a backup if possible before removing infections.

What software do you use for the backup?

I will either use Acronis' or Paragon's backup software
depending on the situation.

Post by Dustin
Are you storing the backup on
read only media or a hard drive that could fail for any reason?

I haven't heard the acronym WORM in years... Damn, you have been
around a long time. :) I was thinking of cd-r or perhaps dvd-r
material.

It would be OK for DVD-R if the backup is small. But swapping 20 or
more DVDs is a pain.

Post by Dustin
It depends. When I was working at a computer shop; I'd either use
norton ghost corp edition or the hardware drive cloning device we
had at the time.

I rarely use Ghost these days, it used to be the only thing I ever used.

Post by Dustin
I really didn't see much point in cloning a malware drive
for malware removal; I wasn't stupid enough to trash my backups of
the registry or important files. besides, I wrote several
utilities to assist me in verifying various windows dll/exe files
were still intact and okay for reuse.

Yea that's good for you, but when you're working for someone else
and they have important data they want to save, I will backup. Most
of the time the customer doesn't have a backup. A lot of times the
customer has a HD that's five or six years old and they really need
a backup done. Then there are the times when I'm working for a
young person and they don't want a backup they just want the drive
wiped and they want the OS installed.

Post by Dustin
We would typically reserve cloning drives for hardware failure
signs. Although, a customer could have us clone a drive for a
malware issue if they so desired. By default, we always copied
docs, favorites, emails etc before doing anything... But, you
know, different places have different policies.

I work mostly with home users and small businesses and a lot of
times they have personal stuff they want to save. So I'll do a
quick backup of that data and then I'll do the full backup.
Sometimes they just want a reinstall. There are times when they
tell me not to backup because the data isn't important. In David's
response he seems worried about saving data so I wondered why he
wouldn't backup.

Post by Dustin
Why do you spend the additional time to clone an entire drive for
a malware removal job?

It doesn't take that long most of the time and it's a lot safer for
the user's data. In most cases it actually takes longer to install,
upgrade and reinstall software for the customer. Most of the time I
backup less than 150GB.

Post by John Slade
I know there are a lot of fly-by-night computer repair
people who are just there to do a quick fix and get paid, I
find myself cleaning up after a lot of them.

I've encountered a few of those in my time as well.... I enjoy
the work they provide me tho.

Me too. I especially get a kick out of the ones who don't
do backups and leave various screws out.

Or, use the wrong screws and strip one of the drives :)

Post by Dustin
Tell me something, John, as a PROFESSIONAL, have
you written any of the tools you use for cleanup; or do you use
the work others have written, such as myself, David lipman and
many others?

For the record, I'm not trying to get into some pissing
contest. I was just making a suggestion as to how to fix the
problem laid out in the OP.

I understand. It just seemed as if you were being a wiseass
towards David, from my POV. I didn't personally see any need in
doing that. We can all be professional and civil here.

David was being a wiseass himself and I can understand why he
didn't respond. He seemed worried about losing data by simply
removing the system restore points so I naturally wondered why, a
backup can solve this problem. I guess he realized it was a good
idea so then he got snippy.

Well, a backup is a good way of having an escape route should
something go wrong. :) From a software aspect tho, I haven't
really encountered much malware that would justify the time I
spent on imaging the drive first. I wasn't in charge of billing
tho, so that may have played a part in that.

I don't work for any company I work freelance. Like I said most
backups are small and usually take from 20 minutes to a couple of
hours. I don't charge by the hour I charge by the job.

Post by John Slade
So tell me what products have you and David Lipman
written and where can I check them out?

I've heard of some of those.

Post by Dustin
In more recent times, I developed an antimalware scanner (that's
why I found your description on how they worked amusing. hehehe)
called BugHunter. I did a stint as a malware researcher for an app
called Malwarebytes antimalware..

I don't know why you would find it funny because a virus writer
will use anything to hide a virus. What smarter way is to hide them
in each and every folder in "system volume information"? I do
believe that what the system had was a variant of the Virtumonde
trojan. If you did research on malware then you know virus writers
will take existing malware and modify it. I found one thing to be
true in the world of malware, NOBODY knows everything about every
malware variant out there. You can believe me or not, it doesn't
matter.
John

You do appreciate that Dustin Cook was once a virus writer himself,
don't you, John?

Does it matter that much, BD? Do you feel I haven't been honest with
the fellow and so you need to remind persons of that aspect?

Post by ~BD~
There is school of thought that suggests that once a computer has
been compromised, one can never be *certain* that it is clean - and
that it is always best to re-install the operating system ...... on
a formatted hard disk, wiping out all partitions first.

That school of thought does exist, yes. I don't subscribe to it tho.

--
"I like your Christ. I don't like your Christians. They are so unlike
your Christ." - author unknown.

David H. Lipman

2010-08-01 23:03:40 UTC

From: "Dustin" <***@gmail.com>

| That school of thought does exist, yes. I don't subscribe to it tho.

It does exist. However first you perform a Cost Benefit Analysis (CBA).

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

John Slade

2010-08-02 00:45:41 UTC

Post by ~BD~

I don't know why you would find it funny because a virus writer will use
anything to hide a virus. What smarter way is to hide them in each and
every folder in "system volume information"? I do believe that what the
system had was a variant of the Virtumonde trojan. If you did research
on malware then you know virus writers will take existing malware and
modify it. I found one thing to be true in the world of malware, NOBODY
knows everything about every malware variant out there. You can believe
me or not, it doesn't matter.
John

You do appreciate that Dustin Cook was once a virus writer himself,
don't you, John?

I didn't know Dustin Cook existed until he responded for
you. But I've been reading some in alt.comp.viruses and I find
it well...interesting... If he wrote viruses then he more than
anyone should know that what I said happened is indeed possible.

Post by ~BD~
There is school of thought that suggests that once a computer has been
compromised, one can never be *certain* that it is clean - and that it
is always best to re-install the operating system ...... on a formatted
hard disk, wiping out all partitions first.

That school of thought is pretty common but I've found
that the vast majority of infected systems can be saved without
reformatting and installing. It all depends on what the malware
is and how much damage has been done. If formatting every
infected HD at the sign of malware, very little data would be
saved unless you backup important data.

Post by ~BD~
I'm just a user - but that's how I think too! ;-)

I'm a user and I find that backups save me a lot of
trouble. I know my HD will fail. As a repair tech, I know my
customer's HD will fail so I backup. Some of my customers want
to save the data so I backup before I remove malware. Some don't
care and ask me to format and install.

I've been reading some in alt.comp.virus and it's pretty
amusing.... I'm starting to understand more and more why I'm
getting the responses I'm getting... ;)

John

FromTheRafters

2010-08-02 01:57:59 UTC

"John Slade" <***@pacbell.net> wrote in message news:Xyo5o.41721$***@newsfe20.iad...

[...]

I don't know why you would find it funny because a virus writer will use
anything to hide a virus. What smarter way is to hide them in each and
every folder in "system volume information"?

I didn't know Dustin Cook existed until he responded for you. But I've
been reading some in alt.comp.viruses and I find it well...interesting...
If he wrote viruses then he more than anyone should know that what I said
happened is indeed possible.

Because he understands true viruses, he knows that they don't need to hide
themselves in folders.

I don't think he would have said what he said if you had said worms, or
malware, instead of viruses.

Some malware sorta infests the "System Volume Information" folder - what
actually happens is that when the AV requests deletion of a detected malware
file, the OS makes a copy and stores it there just in case you didn't
*really* want it deleted.

David H. Lipman

2010-08-02 02:13:05 UTC

From: "FromTheRafters" <erratic @nomail.afraid.org>

| "John Slade" <***@pacbell.net> wrote in message
| news:Xyo5o.41721$***@newsfe20.iad...

| [...]

I don't know why you would find it funny because a virus writer will use
anything to hide a virus. What smarter way is to hide them in each and
every folder in "system volume information"?

I didn't know Dustin Cook existed until he responded for you. But I've
been reading some in alt.comp.viruses and I find it well...interesting...
If he wrote viruses then he more than anyone should know that what I said
happened is indeed possible.

| Because he understands true viruses, he knows that they don't need to hide
| themselves in folders.

| I don't think he would have said what he said if you had said worms, or
| malware, instead of viruses.

| Some malware sorta infests the "System Volume Information" folder - what
| actually happens is that when the AV requests deletion of a detected malware
| file, the OS makes a copy and stores it there just in case you didn't
| *really* want it deleted.

It doesn't really have to do with an anti malware application deleting a file. That the
Recycle Bin and only the OS Shell (explorer) will place the files in the Recycle Bin.

In this case the OS will take executable binaries and other OS related files and place
copies in the System Restore Cache. All I have to do is download and EXE or DLL and it
will be in the cache and reference the location of where it was in the OS. And it doesn't
really infest the "System Volume Information\_restore" folder. It lays dormant in there
until the user decides to restore a break point. Then it will take the executable binary
and other OS related files and place them back in the original location thus reviving them
from dormancy. However malware is not know to "hide" itself in "System Volume
Information" while operating within the OS.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

John Slade

2010-08-02 18:06:42 UTC

Post by David H. Lipman
| [...]

I don't know why you would find it funny because a virus writer will use
anything to hide a virus. What smarter way is to hide them in each and
every folder in "system volume information"?

I didn't know Dustin Cook existed until he responded for you. But I've
been reading some in alt.comp.viruses and I find it well...interesting...
If he wrote viruses then he more than anyone should know that what I said
happened is indeed possible.

| Because he understands true viruses, he knows that they don't need to hide
| themselves in folders.
| I don't think he would have said what he said if you had said worms, or
| malware, instead of viruses.
| Some malware sorta infests the "System Volume Information" folder - what
| actually happens is that when the AV requests deletion of a detected malware
| file, the OS makes a copy and stores it there just in case you didn't
| *really* want it deleted.
It doesn't really have to do with an anti malware application deleting a file. That the
Recycle Bin and only the OS Shell (explorer) will place the files in the Recycle Bin.
In this case the OS will take executable binaries and other OS related files and place
copies in the System Restore Cache. All I have to do is download and EXE or DLL and it
will be in the cache and reference the location of where it was in the OS. And it doesn't
really infest the "System Volume Information\_restore" folder. It lays dormant in there
until the user decides to restore a break point. Then it will take the executable binary
and other OS related files and place them back in the original location thus reviving them
from dormancy. However malware is not know to "hide" itself in "System Volume
Information" while operating within the OS.

As far as you know, no malware writer used that method.
Nobody knows everything.

John

FromTheRafters

2010-08-02 21:44:06 UTC

Post by David H. Lipman
| [...]

I don't know why you would find it funny because a virus writer will use
anything to hide a virus. What smarter way is to hide them in each and
every folder in "system volume information"?

I didn't know Dustin Cook existed until he responded for you. But I've
been reading some in alt.comp.viruses and I find it
well...interesting...
If he wrote viruses then he more than anyone should know that what I said
happened is indeed possible.

| Because he understands true viruses, he knows that they don't need to hide
| themselves in folders.
| I don't think he would have said what he said if you had said worms, or
| malware, instead of viruses.
| Some malware sorta infests the "System Volume Information" folder - what
| actually happens is that when the AV requests deletion of a
detected malware
| file, the OS makes a copy and stores it there just in case you didn't
| *really* want it deleted.
It doesn't really have to do with an anti malware application
deleting a file. That the
Recycle Bin and only the OS Shell (explorer) will place the files in the Recycle Bin.
In this case the OS will take executable binaries and other OS related files and place
copies in the System Restore Cache. All I have to do is download and EXE or DLL and it
will be in the cache and reference the location of where it was in
the OS. And it doesn't
really infest the "System Volume Information\_restore" folder. It lays dormant in there
until the user decides to restore a break point. Then it will take the executable binary
and other OS related files and place them back in the original
location thus reviving them
from dormancy. However malware is not know to "hide" itself in "System Volume
Information" while operating within the OS.

As far as you know, no malware writer used that method. Nobody
knows everything.

Now, you're just being silly.

John Slade

2010-08-02 18:04:51 UTC

I don't know why you would find it funny because a virus writer will use
anything to hide a virus. What smarter way is to hide them in each and
every folder in "system volume information"?

I didn't know Dustin Cook existed until he responded for you. But I've
been reading some in alt.comp.viruses and I find it well...interesting...
If he wrote viruses then he more than anyone should know that what I said
happened is indeed possible.

Because he understands true viruses, he knows that they don't need to hide
themselves in folders.
I don't think he would have said what he said if you had said worms, or
malware, instead of viruses.

Well "virus" is a generic term these days. I was talking
about worms and/or trojans, I was using "virus" as a generic
term. I guess that clears it up.

John

Dustin

2010-08-02 18:27:02 UTC

I don't know why you would find it funny because a virus writer
will use anything to hide a virus. What smarter way is to hide
them in each and every folder in "system volume information"?

I didn't know Dustin Cook existed until he responded for you. But I've
been reading some in alt.comp.viruses and I find it
well...interesting... If he wrote viruses then he more than anyone
should know that what I said happened is indeed possible.

Because he understands true viruses, he knows that they don't need
to hide themselves in folders.
I don't think he would have said what he said if you had said
worms, or malware, instead of viruses.

Well "virus" is a generic term these days. I was talking
about worms and/or trojans, I was using "virus" as a generic
term. I guess that clears it up.

virus isn't a generic term, then or now. As a professional, I think it
unwise of you to generalize what might be ailing the patient.

--
"I like your Christ. I don't like your Christians. They are so unlike
your Christ." - author unknown.

David H. Lipman

2010-08-02 18:57:05 UTC

I don't know why you would find it funny because a virus writer will use
anything to hide a virus. What smarter way is to hide them in each and
every folder in "system volume information"?

I didn't know Dustin Cook existed until he responded for you. But I've
been reading some in alt.comp.viruses and I find it well...interesting...
If he wrote viruses then he more than anyone should know that what I said
happened is indeed possible.

Because he understands true viruses, he knows that they don't need to hide
themselves in folders.
I don't think he would have said what he said if you had said worms, or
malware, instead of viruses.

| Well "virus" is a generic term these days. I was talking
| about worms and/or trojans, I was using "virus" as a generic
| term. I guess that clears it up.

The term "malware" is generic.
The term "virus" is quite specific.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

FromTheRafters

2010-08-02 21:46:37 UTC

I don't know why you would find it funny because a virus writer will use
anything to hide a virus. What smarter way is to hide them in each and
every folder in "system volume information"?

I didn't know Dustin Cook existed until he responded for you. But I've
been reading some in alt.comp.viruses and I find it
well...interesting...
If he wrote viruses then he more than anyone should know that what I said
happened is indeed possible.

Because he understands true viruses, he knows that they don't need to hide
themselves in folders.
I don't think he would have said what he said if you had said worms, or
malware, instead of viruses.

Well "virus" is a generic term these days. I was talking about
worms and/or trojans, I was using "virus" as a generic term. I guess
that clears it up.

Yep, clear as rain. You don't know the terminology, don't care, yet we
are supposed to believe that you know what you are talking about.

That's it, huh?

David Kaye

2010-08-02 05:16:35 UTC

Please stop this nonsense already. I got the answers I needed. All you're
doing is making yourselves look like fools.

Dustin

2010-08-01 22:04:23 UTC

What software do you use for the backup?

I will either use Acronis' or Paragon's backup software
depending on the situation.

Post by Dustin
Are you storing the backup on
read only media or a hard drive that could fail for any reason?

I haven't heard the acronym WORM in years... Damn, you have been
around a long time. :) I was thinking of cd-r or perhaps dvd-r
material.

It would be OK for DVD-R if the backup is small. But
swapping 20 or more DVDs is a pain.

Post by Dustin
It depends. When I was working at a computer shop; I'd either use
norton ghost corp edition or the hardware drive cloning device we
had at the time.

I rarely use Ghost these days, it used to be the only
thing I ever used.

Post by Dustin
I really didn't see much point in cloning a malware drive
for malware removal; I wasn't stupid enough to trash my backups of
the registry or important files. besides, I wrote several utilities
to assist me in verifying various windows dll/exe files were still
intact and okay for reuse.

Theres your odd attitude again. What makes you think I wasn't working
for someone else when I did those things? Obviously since I didn't own
the shop, I was working for someone else.

Btw, What certifications do you presently hold? I'm just lowly
A+/network+ (back when that stupid thing was still considered worth the
paper it's printed on). Are you MCSE?

I completely understand the backup scenarios..

Post by Dustin
We would typically reserve cloning drives for hardware failure
signs. Although, a customer could have us clone a drive for a
malware issue if they so desired. By default, we always copied
docs, favorites, emails etc before doing anything... But, you know,
different places have different policies.

I see. It's the corp customers who can be.. a bit, on the anal side at
times. At the end of the day tho, you do whatever customer wants.

Post by Dustin
Why do you spend the additional time to clone an entire drive for a
malware removal job?

I'm just wondering what you mean by safer for the users data then I
guess. If it's a malware issue, the users data itself shouldn't be
affected much if at all; it's the applications and little.. extras that
may be of concern.

Post by Dustin
I understand. It just seemed as if you were being a wiseass towards
David, from my POV. I didn't personally see any need in doing that.
We can all be professional and civil here.

Well, along with potentially good dlls you might want to use to avoid
having to reinstall; comes several stages of the systems registry
hives. All valuable if your into recovering the system, as opposed to
wiping and starting over. I see no reason to obliterate the restore
points right away; They still contain potentially useful data to me.

What seperates some professionals from others is the ability to restore
the system without resorting to wiping and reloading as really, anybody
could do that. In many cases, not all, but many, you don't have to wipe
and reload the entire system to get rid of the malware.

Could you imagine, reloading the system to get rid of antivirusxp2010?
You'd agree, that would be an incompetent action to take?

Well, a backup is a good way of having an escape route should
something go wrong. :) From a software aspect tho, I haven't really
encountered much malware that would justify the time I spent on
imaging the drive first. I wasn't in charge of billing tho, so that
may have played a part in that.

I don't work for any company I work freelance. Like I said
most backups are small and usually take from 20 minutes to a
couple of hours. I don't charge by the hour I charge by the job.

Ahh, well.. I worked for one shop for just over a decade.. had some
prior real world experience from other shops voc and what I did as a
kiddo... I'll do the freelance thing when it's necessary, but I don't
halfass the job. Like I said, I've been doing this ten years or so less
than you and have yet to lose anyones data; providing they called me in
time...

Post by John Slade
So tell me what products have you and David Lipman
written and where can I check them out?

I've heard of some of those.

Post by Dustin
In more recent times, I developed an antimalware scanner (that's
why I found your description on how they worked amusing. hehehe)
called BugHunter. I did a stint as a malware researcher for an app
called Malwarebytes antimalware..

Well, I found it funny from the point of view of a former virus writer
turned whitehat. Does that make any sense to you?

Why would I spend the time to hide a virus in a folder, when I could
choose files? You could just delete me if I stored myself in a folder
in a binary format alone. If I reside in your files instead, I'm alot
harder to deal with.

I know some virus writers have used existing code and modified that
yes. However, the majority of the crap I've seen passing for malware
these days typically isn't actually viral in nature. A virus is no
accident, ya see.

It's entirely possible the individual does have a virut varient, I
haven't seen the sample to confirm or deny that. Based only on what Ant
has written up about it tho, doesn't seem to indicate virut; but
something possibly forked from the same original codebase.

How as a virus would I be able to hide if you examined the drive from a
system that didn't start off of it? It's a rhetorical question... :)

--
"I like your Christ. I don't like your Christians. They are so unlike
your Christ." - author unknown.

David H. Lipman

2010-08-01 23:09:02 UTC

From: "Dustin" <***@gmail.com>

< snip >

Post by John Slade
I don't know why you would find it funny because a
virus writer will use anything to hide a virus. What smarter way
is to hide them in each and every folder in "system volume
information"? I do believe that what the system had was a
variant of the Virtumonde trojan. If you did research on malware
then you know virus writers will take existing malware and
modify it. I found one thing to be true in the world of malware,
NOBODY knows everything about every malware variant out there.
You can believe me or not, it doesn't matter.

| Well, I found it funny from the point of view of a former virus writer
| turned whitehat. Does that make any sense to you?

| Why would I spend the time to hide a virus in a folder, when I could
| choose files? You could just delete me if I stored myself in a folder
| in a binary format alone. If I reside in your files instead, I'm alot
| harder to deal with.

| I know some virus writers have used existing code and modified that
| yes. However, the majority of the crap I've seen passing for malware
| these days typically isn't actually viral in nature. A virus is no
| accident, ya see.

| It's entirely possible the individual does have a virut varient, I
| haven't seen the sample to confirm or deny that. Based only on what Ant
| has written up about it tho, doesn't seem to indicate virut; but
| something possibly forked from the same original codebase.

| How as a virus would I be able to hide if you examined the drive from a
| system that didn't start off of it? It's a rhetorical question... :)

The important aspect is one of NTFS permissions. More than just the average malware can't
access "system volume information" and certainly NOT the Vundo family (including Virtumone
adware).

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

John Slade

2010-08-02 01:31:47 UTC

< snip>

| Well, I found it funny from the point of view of a former virus writer
| turned whitehat. Does that make any sense to you?
| Why would I spend the time to hide a virus in a folder, when I could
| choose files? You could just delete me if I stored myself in a folder
| in a binary format alone. If I reside in your files instead, I'm alot
| harder to deal with.
| I know some virus writers have used existing code and modified that
| yes. However, the majority of the crap I've seen passing for malware
| these days typically isn't actually viral in nature. A virus is no
| accident, ya see.
| It's entirely possible the individual does have a virut varient, I
| haven't seen the sample to confirm or deny that. Based only on what Ant
| has written up about it tho, doesn't seem to indicate virut; but
| something possibly forked from the same original codebase.
| How as a virus would I be able to hide if you examined the drive from a
| system that didn't start off of it? It's a rhetorical question... :)
The important aspect is one of NTFS permissions. More than just the average malware can't
access "system volume information" and certainly NOT the Vundo family (including Virtumone
adware).

As far as you know...

John

David H. Lipman

2010-08-02 01:54:27 UTC

< snip>

| Well, I found it funny from the point of view of a former virus writer
| turned whitehat. Does that make any sense to you?
| Why would I spend the time to hide a virus in a folder, when I could
| choose files? You could just delete me if I stored myself in a folder
| in a binary format alone. If I reside in your files instead, I'm alot
| harder to deal with.
| I know some virus writers have used existing code and modified that
| yes. However, the majority of the crap I've seen passing for malware
| these days typically isn't actually viral in nature. A virus is no
| accident, ya see.
| It's entirely possible the individual does have a virut varient, I
| haven't seen the sample to confirm or deny that. Based only on what Ant
| has written up about it tho, doesn't seem to indicate virut; but
| something possibly forked from the same original codebase.
| How as a virus would I be able to hide if you examined the drive from a
| system that didn't start off of it? It's a rhetorical question... :)
The important aspect is one of NTFS permissions. More than just the average malware
can't
access "system volume information" and certainly NOT the Vundo family (including
Virtumone
adware).

| As far as you know...

And I *know* a lot. It is known for hooking into IE through BHO and Winlogon via
Winlogon\Notify and more recently via the Local Security Authority Subsystem Service. And
I know its intial infection vector was through Java Exploits. I remember when they first
hit and I have seen the tools that were used to erradicate up to and including MBAM. You
read where Dustin was an employee of Malwarebytes. Dustin and I were both employee
Malware Researchers for Malwarebytes :-)

{ BTW: I also know I spelled Virtumonde wrong :-) }

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

John Slade

2010-08-02 18:01:07 UTC

< snip>

| Well, I found it funny from the point of view of a former virus writer
| turned whitehat. Does that make any sense to you?
| Why would I spend the time to hide a virus in a folder, when I could
| choose files? You could just delete me if I stored myself in a folder
| in a binary format alone. If I reside in your files instead, I'm alot
| harder to deal with.
| I know some virus writers have used existing code and modified that
| yes. However, the majority of the crap I've seen passing for malware
| these days typically isn't actually viral in nature. A virus is no
| accident, ya see.
| It's entirely possible the individual does have a virut varient, I
| haven't seen the sample to confirm or deny that. Based only on what Ant
| has written up about it tho, doesn't seem to indicate virut; but
| something possibly forked from the same original codebase.
| How as a virus would I be able to hide if you examined the drive from a
| system that didn't start off of it? It's a rhetorical question... :)
The important aspect is one of NTFS permissions. More than just the average malware
can't
access "system volume information" and certainly NOT the Vundo family (including
Virtumone
adware).

| As far as you know...
And I *know* a lot. It is known for hooking into IE through BHO and Winlogon via
Winlogon\Notify and more recently via the Local Security Authority Subsystem Service. And
I know its intial infection vector was through Java Exploits. I remember when they first
hit and I have seen the tools that were used to erradicate up to and including MBAM. You
read where Dustin was an employee of Malwarebytes. Dustin and I were both employee
Malware Researchers for Malwarebytes :-)

That's all well and good but as you know there are strains
of trojans and worms that are unknown. It may or may not have
been Virtumonde or a version of it, it very well may have been
some other malware that dropped Virtumonde. I'm sure you know
there is malware out there that will drop multiple trojans and
worms on a system. But whatever it was, I was never afraid to do
what it took to get rid of it. That's why I make a backup before
I clean badly infected systems.

I can tell you this, after I got rid of all the system
restore points, some malware looked for files in the restore
folders and couldn't find them. I got the popup saying the files
were not found in that directory. I did a final scan and when I
removed the malware this time it stayed gone. The system ran
with no problems until the teenager put something else on it
months later.

John

David H. Lipman

2010-08-02 19:15:20 UTC

From: "John Slade" <***@pacbell.net>

| That's all well and good but as you know there are strains
| of trojans and worms that are unknown. It may or may not have
| been Virtumonde or a version of it, it very well may have been
| some other malware that dropped Virtumonde. I'm sure you know
| there is malware out there that will drop multiple trojans and
| worms on a system. But whatever it was, I was never afraid to do
| what it took to get rid of it. That's why I make a backup before
| I clean badly infected systems.

| I can tell you this, after I got rid of all the system
| restore points, some malware looked for files in the restore
| folders and couldn't find them. I got the popup saying the files
| were not found in that directory. I did a final scan and when I
| removed the malware this time it stayed gone. The system ran
| with no problems until the teenager put something else on it
| months later.

I agree, there are "...strains of trojans and worms that are unknown."
However there is a relatively finite capability that they employ. Usually one repeats the
success of another and builds upon that success. What becomes new is not what they do
within the file system, it is what they do in the Registry or employing different
programmng techniques and Kernel constructs.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

John Slade

2010-08-02 01:30:37 UTC

What software do you use for the backup?

I will either use Acronis' or Paragon's backup software
depending on the situation.

Post by Dustin
Are you storing the backup on
read only media or a hard drive that could fail for any reason?

I haven't heard the acronym WORM in years... Damn, you have been
around a long time. :) I was thinking of cd-r or perhaps dvd-r
material.

It would be OK for DVD-R if the backup is small. But
swapping 20 or more DVDs is a pain.

Post by Dustin
It depends. When I was working at a computer shop; I'd either use
norton ghost corp edition or the hardware drive cloning device we
had at the time.

I rarely use Ghost these days, it used to be the only
thing I ever used.

Post by Dustin
I really didn't see much point in cloning a malware drive
for malware removal; I wasn't stupid enough to trash my backups of
the registry or important files. besides, I wrote several utilities
to assist me in verifying various windows dll/exe files were still
intact and okay for reuse.

Theres your odd attitude again. What makes you think I wasn't working
for someone else when I did those things? Obviously since I didn't own
the shop, I was working for someone else.

Well you made it sound like you were doing it for yourself.

Post by Dustin
Btw, What certifications do you presently hold? I'm just lowly
A+/network+ (back when that stupid thing was still considered worth the
paper it's printed on). Are you MCSE?

I took courses and wound up teaching an A+ class. A+ is a
good place to start for someone looking to get certified for
work at some company that requires that cert. I view the MCSE
certification as pretty much a money making scam. I look at MCSE
certifications as a joke in many cases because some courses just
teach people how to pass the certification test. I took a long
MSCE certification course but I never needed to be certified as
I went into business for myself. I found most of the things
covered was knowledge I already had. I also found that many MSCE
"certified" people don't know a lot. Well they do know how to
pass that test!

I don't need any of those certifications, it's a waste of
money.

Post by Dustin
We would typically reserve cloning drives for hardware failure
signs. Although, a customer could have us clone a drive for a
malware issue if they so desired. By default, we always copied
docs, favorites, emails etc before doing anything... But, you know,
different places have different policies.

I see. It's the corp customers who can be.. a bit, on the anal side at
times. At the end of the day tho, you do whatever customer wants.

Post by Dustin
Why do you spend the additional time to clone an entire drive for a
malware removal job?

It's not JUST the malware issue, I already explained that
often HDs I work on are pretty old. Also when you start cleaning
files the system may not boot, data may be destroyed. There are
lots of reasons to backup and that's what I learned over the years.

Post by Dustin
I understand. It just seemed as if you were being a wiseass towards
David, from my POV. I didn't personally see any need in doing that.
We can all be professional and civil here.

You may or may not have to delete restore points. It
depends on the particular malware.

Post by Dustin
What seperates some professionals from others is the ability to restore
the system without resorting to wiping and reloading as really, anybody
could do that. In many cases, not all, but many, you don't have to wipe
and reload the entire system to get rid of the malware.

Yea that's why I find making a backup allows me to make a
mistake if removing the malware causes the installation to be
trashed and it does happen.

Post by Dustin
Could you imagine, reloading the system to get rid of antivirusxp2010?
You'd agree, that would be an incompetent action to take?

I've removed that particular infection before and didn't
need to reinstall anything.

Post by John Slade
So tell me what products have you and David Lipman
written and where can I check them out?

I've heard of some of those.

Post by Dustin
In more recent times, I developed an antimalware scanner (that's
why I found your description on how they worked amusing. hehehe)
called BugHunter. I did a stint as a malware researcher for an app
called Malwarebytes antimalware..

Well you could chose particular files in the restore
point folders, you could tell it to create a restore point and
infect the system files. The advantage is the malware scanner
will not clean it because it's a read only folder by default.

Post by Dustin
It's entirely possible the individual does have a virut varient, I
haven't seen the sample to confirm or deny that. Based only on what Ant
has written up about it tho, doesn't seem to indicate virut; but
something possibly forked from the same original codebase.

All I remember is that the many restore points were all
infected with the same malware. Restore points that were there
before the malware was installed by the user. The malware was in
some pirated software that was installed a couple of days before
I was called.

John

Dustin

2010-08-02 18:41:02 UTC

Post by John Slade
You should know there is malware out there that will
trash the registry and it's backup. It will require some sort
of reinstall to get the system back working. I found it very
rare that I need to do a full reformat and reinstall because
of malware. Some malware will also corrupt system files and
when you remove them with scanners, it will make the
installation unbootable. This is yet another reason
professionals will make a backup if possible before removing
infections.

What software do you use for the backup?

I will either use Acronis' or Paragon's backup software
depending on the situation.

Post by Dustin
Are you storing the backup on
read only media or a hard drive that could fail for any reason?

I haven't heard the acronym WORM in years... Damn, you have been
around a long time. :) I was thinking of cd-r or perhaps dvd-r
material.

It would be OK for DVD-R if the backup is small. But
swapping 20 or more DVDs is a pain.

Post by Dustin
It depends. When I was working at a computer shop; I'd either use
norton ghost corp edition or the hardware drive cloning device we
had at the time.

I rarely use Ghost these days, it used to be the only
thing I ever used.

Post by Dustin
I really didn't see much point in cloning a malware drive
for malware removal; I wasn't stupid enough to trash my backups
of the registry or important files. besides, I wrote several
utilities to assist me in verifying various windows dll/exe files
were still intact and okay for reuse.

Theres your odd attitude again. What makes you think I wasn't
working for someone else when I did those things? Obviously since I
didn't own the shop, I was working for someone else.

Well you made it sound like you were doing it for yourself.

Post by Dustin
Btw, What certifications do you presently hold? I'm just lowly
A+/network+ (back when that stupid thing was still considered worth
the paper it's printed on). Are you MCSE?

My boss paid for the tests, it just cost me some driving time. As I've
been doing the computer thing since the trash80 series was actually new
and hot stuff to some, I didn't really need to study for the exam.
While tandy's computers were proprietary in nature, they had some
things in common with cp/m and later dos machines. Besides, it beat
tracing a grounding problem on an AT mainboard keyboard port. <G>

The shop I worked at actually fixed problems, we didn't ship to
manufacturer or sell you a new mainboard if components could be
replaced cheaper and still bring the system back to it's original self.
None of us were afraid of soldering pencils or precision electronics,
everyone at the shop had a background in it.

So, as a professional with years on me, do you replace boards or
actually get down and dirty with them?

Post by John Slade
"certified" people don't know a lot. Well they do know how to
pass that test!

I would tend to agree with that statement, based on the future
technicians who will eventually be replacing me. :)

Post by John Slade
I don't need any of those certifications, it's a waste of
money.

It looks nice on paper, tho. :) I like you didn't bother to fork out
the 2grand for the MCSE certs, I watched a friend of mine who knew next
to nothing about computers; get MCSE inside of 3 months time. So, yea,
I'm in complete agreement with you about them. Lots of reading, a very
small amount of practice in the LAN I configured for him, and walla;
MCSE certified; but doesn't know his ass from a hole in the ground.

Post by Dustin
I'm just wondering what you mean by safer for the users data then I
guess. If it's a malware issue, the users data itself shouldn't be
affected much if at all; it's the applications and little.. extras
that may be of concern.

True, plenty of reasons to backup and I certainly don't disagree with
one who is strict with a decent backup policy; I just don't really see
the need to do it for a malware removal job alone.

Post by Dustin
I understand. It just seemed as if you were being a wiseass
towards David, from my POV. I didn't personally see any need in
doing that. We can all be professional and civil here.

You may or may not have to delete restore points. It
depends on the particular malware.

I know of no malware which would force me to toss an entire restore
point. I can just go into the folder from another system and do what
needs to be done; without endangering said system.

Post by Dustin
What seperates some professionals from others is the ability to
restore the system without resorting to wiping and reloading as
really, anybody could do that. In many cases, not all, but many,
you don't have to wipe and reload the entire system to get rid of
the malware.

Yea that's why I find making a backup allows me to make a
mistake if removing the malware causes the installation to be
trashed and it does happen.

Be careful and take your time. Safety first and all that. :)

Post by Dustin
Well, I found it funny from the point of view of a former virus
writer turned whitehat. Does that make any sense to you?
Why would I spend the time to hide a virus in a folder, when I
could choose files? You could just delete me if I stored myself in
a folder in a binary format alone. If I reside in your files
instead, I'm alot harder to deal with.

Hmm. I'm guessing you don't know how the restore functions in windows
actually works. I'll clue you in.. If I so much as edit a
sys/dll/com/exe file in the windows folders a restore point is
automatically created so long as system restore is turned on. That
restore point will backup the file before my changes are finalized on
disk. Unless, I override system restore and do it directly.

The folder itself isn't exactly read-only by permissions alone, again,
the resident system restore dlls keep you out; but you can still scan
inside with it running if you do low level calls.