Precautions needed during scanning?

[mm]

This just in! Scanning with the Panda Rescue Disk removed 16
instances of malware.
Scanning with Kaspersky Rescue Disk removed 26, but
said it couldn't delete or disinfect Rootkit.win32.TDSS.mbr , at the
root level, the MBR iiuc.

What should I do about that one!

For lack of a better idea, I'm thinking of using the Recovery Console
of an XP installation disk and running FixMBR. ??


1) I have a router. If my computer and the laptop with the malware
are both plugged into the router at the same time, can the laptop
infect my computer?

2) Kaspersky says, and other companies say something similar, "Regular
updates of Kaspersky Rescue Disk databases ensures effective
protection". But it's silly, isn't it,AmAAA to talk about a regular
update of a CD**.

So if I copied the rescue CD to a bootable flashdrive or USB harddisk,
could the viuses already in the laptop infect the flashdrive or
harddisk. Could the newly infected flashdrive or harddisk infect the
next computer it is used to test?

**If this were a standard message it wouldn't seem silly, but says
"Rescue Disk". Don't they know that almost everyone runs this from a
CD?

3) Kaspersky had as the default option, Prompt for Action, when an
infected file is found. Wouldn't that mean I'd have to be watching
the entire time the scan ran, and if I were out of the room, it would
wait for me, making the scan take that much longer? I changed it to
"Prompt for action at end of scan". Stupid question maybe, but isn't
that better for most people? Yeet it's not the default.

Any other settings I should have changed for a heavily infected pc?
They had one two levels deep in the settings called, "Don't expand
very large files". I've never understood whether files inside zip
files etc. can do harm -- does any malware expand archives etc. after
I have scanned?


Thanks.

 

[Dustin]

This just in! Scanning with the Panda Rescue Disk removed 16
instances of malware.
Scanning with Kaspersky Rescue Disk removed 26, but
said it couldn't delete or disinfect Rootkit.win32.TDSS.mbr , at the
root level, the MBR iiuc.

Boot of a windows PE disc, run fixboot. Reboot using a bartPE disc, go
force to the windows/system32/drivers folder and newter the .sys driver
file or you'll be doing this all over again.

You can also just download the Avast bootable cd or Avira or even bit
defender, burn it, boot the box and let it do it's thing.

Another option, fire the machine up and put trend micros sysclean on it
with newest pattern.

For lack of a better idea, I'm thinking of using the Recovery Console
of an XP installation disk and running FixMBR. ??

Just be sure you dont' let the box boot until you get the sys driver
too, or the mbr is just going to get infected.

1) I have a router. If my computer and the laptop with the malware
are both plugged into the router at the same time, can the laptop
infect my computer?

Depending on your network configuration; it's possible.

 

[mm]

Yes, that worked for me. I just posted about it in another thread called
"Malware masquerading as Microsoft Security Essentials?"

I'll go read that.

Some Dells may give you a warning that you have a non-standard boot record.
If you run it anyway, you may lose the ability to use the recovery partition
if it has one. The one I did was a Dell and I did get that warning, but it
was a fairly new Dell that shipped with the XP "downgrade" and it didn't have
a recovery partition anyway. I already had everything saved and I was
desperate so I took the chance. It worked.

Hey, this is a Dell, and I've been trying elswhere to find out if it
has a recovery partition or not. Do you know how I can tell?

It might not work for you, so son't do it on *my* account...

Okay. Actually I was going to do it in a few minutes but your
post made me postpone that, because you tied the MBR to the recovery
partition

 

[mm]

Boot of a windows PE disc, run fixboot. Reboot using a bartPE disc, go
force to the windows/system32/drivers folder and newter the .sys driver
file or you'll be doing this all over again.

I don't know what you mean by your last step Is there only one .sys
driver file there and how do I newter it? Rename it?

You can also just download the Avast bootable cd or Avira or even bit
defender, burn it, boot the box and let it do it's thing.

FWIW, I used Bit Defender tonight, and it didn't find this problem.
It was the third AV I used tonight, and it did find 5 instances of 4
malware, but not this.

I'd used Panda first and it found 16 problems.
Then Kaspersky which found 26 or 36, all of which it fixed except
this MBR problem.

AVG just finished and only found 3 tracking cookies

So AVG and Bit Defender and Panda didnt' find this MBR problem. That
doesn't mean it's not there, right? Just that Kaspersky is better on
mbr's?

Since you suggest it I"ll try Avast sometime tomorrow.

So far I haven't run Avira because it makes it sound like it runs
automatically, with me at the start setting standard treatment of
threats. Is that so. I want to look at each one individually.

Another option, fire the machine up and put trend micros sysclean on it
with newest pattern.

I'll look at that.

Just be sure you dont' let the box boot until you get the sys driver
too, or the mbr is just going to get infected.


Depending on your network configuration; it's possible.

I haven't linked this friend's computer to my network, so I'm okay
then? It's just plugged into the same router at the same time. So
far I've only plugged in one at a time.

Actually, I'm trying to make it work but I don't even have a home
network. I have the wireless router and two computerss (one in the
basement) but I can't get them to see each other, even though they
both are connected to the DSL. Are they save from each other's
viruses.

Thanks a lot.

 

[FromTheRafters]

This just in! Scanning with the Panda Rescue Disk removed 16
instances of malware.
Scanning with Kaspersky Rescue Disk removed 26, but
said it couldn't delete or disinfect Rootkit.win32.TDSS.mbr , at the
root level, the MBR iiuc.

What should I do about that one!

For lack of a better idea, I'm thinking of using the Recovery Console
of an XP installation disk and running FixMBR. ??

Assuming the machine uses a standard XP MBR, that should do it (for the
MBR).

Also assuming that Kaspersky was thorough with dealing with malware
*files*. As Dustin pointed out, a malicious sys file being executed
after the MBR etc...hands off to the OS could revert you back to square
one.

Some rootkits might write the displaced MBR code directly to the
harddrive (not in a *file*), but I'm not sure which ones do this (as I
recall, TDSS is a "family" name). Anyway, and such hidden code would be
neutered - as an active component would be needed in order to access it.

1) I have a router. If my computer and the laptop with the malware
are both plugged into the router at the same time, can the laptop
infect my computer?

2) Kaspersky says, and other companies say something similar, "Regular
updates of Kaspersky Rescue Disk databases ensures effective
protection". But it's silly, isn't it,AmAAA to talk about a regular
update of a CD**.

I'm thinking that they mean the "database" - not the program per se. I'm
sure they realize that a database a week old may prove useless for many
users (malware is a fast-paced business).

So if I copied the rescue CD to a bootable flashdrive or USB harddisk,
could the viuses already in the laptop infect the flashdrive or
harddisk. Could the newly infected flashdrive or harddisk infect the
next computer it is used to test?

Yes, that's how it works with worms and viruses. Are we talking about
'Rootkit.win32.TDSS.mbr' specifically (which is neither worm nor virus,
but a rootkit in support of related malware), or the varied and sundry
malware collection? It might be worthwhile to mention that some malware
components can be dropped by other unrelated malware and when executing
can in turn bring in more unrelated malware.

(all of which, if "known", Kaspersky should be capable of dealing with)

**If this were a standard message it wouldn't seem silly, but says
"Rescue Disk". Don't they know that almost everyone runs this from a
CD?

Yes, most people like to have them on read-only media, I think they're
just saying that you should create *fresh* read-only media from an
updated "database" if you insist on using read-only (Write Once Read
Many) media. The whole idea is to not be executing malware while
rescuing a system. If the malware isn't executing, it won't "spread" to
the read/write media (although one might inadvertantly copy some
components there).

3) Kaspersky had as the default option, Prompt for Action, when an
infected file is found. Wouldn't that mean I'd have to be watching
the entire time the scan ran, and if I were out of the room, it would
wait for me, making the scan take that much longer?

I don't know, but I assume that is correct.

I changed it to
"Prompt for action at end of scan". Stupid question maybe, but isn't
that better for most people? Yeet it's not the default.

Yes, I would think so, that is if those people desire to do an
unattended scan. Many people like to take advantage of the ability for a
scanner to operate in the background on a schedule while they continue
to work on other computer tasks, maybe that is why it is the default.

....although, on a rescue CD, I don't really see the point. I would much
rather check a log at the end of the scan.

That being said, that's not how I use my resident and on-demand
scanners. I have Avira active and ClamWin doing an on-demand scan, every
file ClamWin accesses gets scanned also (on-access) by Avira. Twice the
fun when my malware directory gets scanned.

Any other settings I should have changed for a heavily infected pc?

According to my unique definition of "heavily infected" none of this
should be done.

Flatten/Rebuild!

If that's not an option, you seem to be on the right track (but do back
ups first, and convince the user of the importance of doing them). Next
time, Flatten/Rebuild would be the easier option.

They had one two levels deep in the settings called, "Don't expand
very large files". I've never understood whether files inside zip
files etc. can do harm -- does any malware expand archives etc. after
I have scanned?

It's just a place that malware can hide, you would think that an
on-access scanner would be able to catch such when they are expanded as
a matter of course (provided it is 'looking' at the time, which might
not be the case).

 

[(PeteCresswell)]

Per mm:

FWIW, I used Bit Defender tonight, and it didn't find this problem.
It was the third AV I used tonight, and it did find 5 instances of 4
malware, but not this.

How did the PC get into that state?

No virus checker?

 

[mm]

Per mm:

How did the PC get into that state?

No virus checker?

It's a friend's. I think she had a virus checker, but it's only worked
for 10 minutes since I got it and I didn't have time to look.

I suspected and Rafters says that the first malware may have brought
in the others.

 

[(PeteCresswell)]

Per mm:

It's a friend's. I think she had a virus checker, but it's only worked
for 10 minutes since I got it and I didn't have time to look.

I suspected and Rafters says that the first malware may have brought
in the others.

Thanks.

Another possibility - one that I had happen with a family
member's PC - is that the user clicks the wrong button when a
virus alert pops up.

Now I look for a "Don't allow accepting any suspicious stuff
anywhere any time" option in the virus checker and enable it if
it's available.

 

[mm]

Assuming the machine uses a standard XP MBR, that should do it (for the
MBR).

Also assuming that Kaspersky was thorough with dealing with malware
*files*. As Dustin pointed out, a malicious sys file being executed
after the MBR etc...hands off to the OS could revert you back to square
one.

Some rootkits might write the displaced MBR code directly to the
harddrive (not in a *file*), but I'm not sure which ones do this (as I
recall, TDSS is a "family" name). Anyway, and such hidden code would be
neutered - as an active component would be needed in order to access it.


I'm thinking that they mean the "database" - not the program per se. I'm
sure they realize that a database a week old may prove useless for many
users (malware is a fast-paced business).
Okay.

Yes, that's how it works with worms and viruses. Are we talking about
'Rootkit.win32.TDSS.mbr' specifically

No. Just a general question. I wrote these three questions before
Kaspersky found that one.

(which is neither worm nor virus,
but a rootkit in support of related malware), or the varied and sundry
malware collection? It might be worthwhile to mention that some malware
components can be dropped by other unrelated malware and when executing
can in turn bring in more unrelated malware.

Yes, that's well worth mentioning, because afaik, I started with two
instances of one thing, and yeseterday I had 15 or 20 different kinds
of malware.** I suspected it wasn't a coincidence.

**Not sure how many I have now.

(all of which, if "known", Kaspersky should be capable of dealing with)


Yes, most people like to have them on read-only media, I think they're
just saying that you should create *fresh* read-only media from an
updated "database" if you insist on using read-only (Write Once Read
Many) media. The whole idea is to not be executing malware while
rescuing a system. If the malware isn't executing, it won't "spread" to
the read/write media (although one might inadvertantly copy some
components there).

Okay, good. So far they all download updates, added virus
definitions. Panda took an hour to do that, fwiw, but I had plenty
else to do while waiting.

I don't know, but I assume that is correct.


Yes, I would think so, that is if those people desire to do an
unattended scan. Many people like to take advantage of the ability for a
scanner to operate in the background on a schedule while they continue
to work on other computer tasks, maybe that is why it is the default.

...although, on a rescue CD, I don't really see the point. I would much
rather check a log at the end of the scan.

That being said, that's not how I use my resident and on-demand
scanners. I have Avira active and ClamWin doing an on-demand scan, every
file ClamWin accesses gets scanned also (on-access) by Avira. Twice the
fun when my malware directory gets scanned.


According to my unique definition of "heavily infected" none of this
should be done.

Flatten/Rebuild!

If that's not an option, you seem to be on the right track (but do back
ups first, and convince the user of the importance of doing them). Next
time, Flatten/Rebuild would be the easier option.


It's just a place that malware can hide, you would think that an
on-access scanner would be able to catch such when they are expanded as
a matter of course (provided it is 'looking' at the time, which might
not be the case).

Thanks,

And thanks a lot for the whole post

 

[mm]

I'll go read that.


Hey, this is a Dell, and I've been trying elswhere to find out if it
has a recovery partition or not. Do you know how I can tell?

Oops, sorry. It's an HP Mini 1000, not a Dell, but I suppose if Dell
uses the MBR to get to a recovery partiition, HP might also.

 

[FromTheRafters]

On Thu, 7 Oct 2010 08:21:33 -0400, "FromTheRafters" [...]

It's just a place that malware can hide, you would think that an
on-access scanner would be able to catch such when they are expanded
as
a matter of course (provided it is 'looking' at the time, which might
not be the case).

Thanks,

And thanks a lot for the whole post

You're welcome, and good luck.

 

[Dustin]

I don't know what you mean by your last step Is there only one .sys
driver file there and how do I newter it? Rename it?

So AVG and Bit Defender and Panda didnt' find this MBR problem.
That doesn't mean it's not there, right? Just that Kaspersky is
better on mbr's?

Hmm; I'm wondering if kaspersky is false alarming. Is it still
reporting a problem with updates?

I haven't linked this friend's computer to my network, so I'm okay
then? It's just plugged into the same router at the same time. So
far I've only plugged in one at a time.

As long as this computer hasn't made hex with removable media and then
your other computer read it with autorun enabled. Your router allows
the computers to talk to one another. If they are atleast both windows
XP; they're start sharing some things as soon as they see each other.

Actually, I'm trying to make it work but I don't even have a home
network. I have the wireless router and two computerss (one in the
basement) but I can't get them to see each other, even though they
both are connected to the DSL. Are they save from each other's
viruses.

This really isn't the newsgroup for network questions.

 

[David H. Lipman]

From: "Dustin" <[email protected]>



"...couldn't delete or disinfect Rootkit.win32.TDSS.mbr "

I'd use Kaspersky TDSSKiller on the running PC.
http://support.kaspersky.com/viruses/solutions?qid=208280684

 

[mm]

Just type fixmbr. If you don't get that message about being a non-
standard boot record, then you should be OK. If you do get the message,
then it's your gamble from there...

Thanks for replying.

After running Panda, then Kaspersky, then BitDefender, then AVG again,
then PCTOOLS, all boot rescue CD's, and deleting 16, 36, 5, zero, and
zero files respectively (and only leaving that MBR problem in place),
I decided it was time to try to start Windows again.

There may well be a problem with the MBR, but it does find Windows
(XP), which first has troulbe with svchost.exe, which I assume has to
do with Services and must be important. Anyhow, I pick a
persona/logon and it starts to run, and immediately it goes back to
the Choose Personal screen. I think I may have deleted one too many
files, or maybe two! (Even though I looked at all the names before
deleting anything) So now I've got the reinstallation CD that came
with the HP netbook, and I have assembled a USB CD drive, and I'm
going to try to repair Windows, and worry about the MBR later.

I also found some software like mbr.exe which is supposed to verify
and even repair the MBR. I could use fixboot to repair, but I want to
see what mbr.exe says first.

I also have TDSSKiller and RKUnhookedLE, which may help here, but
first I want to get windows working. Oh, there was that Drivers.sys
issue. I have to ask about that.

 

[mm]

From: "Dustin" <[email protected]>





"...couldn't delete or disinfect Rootkit.win32.TDSS.mbr "

I'd use Kaspersky TDSSKiller on the running PC.
http://support.kaspersky.com/viruses/solutions?qid=208280684

Thanks. I went to your link and got this. Haven't used it yet.

I also got mbr.exe, another similar program, and RKUnhookedLE.

 

[mm]

I was being funny; neuter as in; snip snip.. er, delete the file. <G>

I get neuter, haha, but I still don't understand. Am I supposed to do
something to the driver folder or one of the driver files? YOu
mentioned it twice, so I figure it's important!

Hmm; I'm wondering if kaspersky is false alarming. Is it still
reporting a problem with updates?

Not Kaspersky. Wasn't that AVG from the flashdrive? I haven't tried
that again since I assembled a USB CD drive.** But I have used the
AVG rescue boot CD and that worked.

**For 20 dollars, no charge for shipping, I got the RCW618 by
Rosewill, at Newegg. It will connect a SATA/Pata hd to or CD/DVD
drive to a USB or SATA port on the PC. It's really versatile and has
been working just fine. Some people say the included SATA cable is
bad, but one can replace it with his own.

As long as this computer hasn't made hex with removable media and then
your other computer read it with autorun enabled. Your router allows
the computers to talk to one another. If they are atleast both windows
XP; they're start sharing some things as soon as they see each other.

I don't think they see each other yet, but since I've stopped running
AV for a while, I won't have to update from the net for a while.

My basement and upstairs computers see each other partially some of
the time, but neither has malware yet.

This really isn't the newsgroup for network questions.

Yes of course.

 

[James Egan]

I get neuter, haha, but I still don't understand.

Are you neuter all this then?


Jim

 

[FromTheRafters]

Hmm; I'm wondering if kaspersky is false alarming. Is it still
reporting a problem with updates?

[...]

If Kaspersky is false alarming on a standard MBR, that would be very
embarrassing for them, and I suspect more than one person would be here
asking about it. Even fairly common non-standard MBR's should have been
vetted by the QC process.

 

[David H. Lipman]

From: "mm" <[email protected]>


| I get neuter, haha, but I still don't understand. Am I supposed to do
| something to the driver folder or one of the driver files? YOu
| mentioned it twice, so I figure it's important!


| Not Kaspersky. Wasn't that AVG from the flashdrive? I haven't tried
| that again since I assembled a USB CD drive.** But I have used the
| AVG rescue boot CD and that worked.

| **For 20 dollars, no charge for shipping, I got the RCW618 by
| Rosewill, at Newegg. It will connect a SATA/Pata hd to or CD/DVD
| drive to a USB or SATA port on the PC. It's really versatile and has
| been working just fine. Some people say the included SATA cable is
| bad, but one can replace it with his own.

< snip >

I have a similar device.

You said... "SATA/Pata hd to or CD/DVD drive to a USB or SATA port on the PC."

Does it connect to to a SATA port on the PC or an eSATA port on the PC ?

BTW: When I use such a device, and remove a hard disk from an affected computer, and
place it on a different computer I will usually call the secondary computer a "surrogate"
PC.

 

[mm]

From: "mm" <[email protected]>



| I get neuter, haha, but I still don't understand. Am I supposed to do
| something to the driver folder or one of the driver files? YOu
| mentioned it twice, so I figure it's important!



| Not Kaspersky. Wasn't that AVG from the flashdrive? I haven't tried
| that again since I assembled a USB CD drive.** But I have used the
| AVG rescue boot CD and that worked.

| **For 20 dollars, no charge for shipping, I got the RCW618 by
| Rosewill, at Newegg. It will connect a SATA/Pata hd to or CD/DVD
| drive to a USB or SATA port on the PC. It's really versatile and has
| been working just fine. Some people say the included SATA cable is
| bad, but one can replace it with his own.

< snip >

I have a similar device.

You said... "SATA/Pata hd to or CD/DVD drive to a USB or SATA port on the PC."

Does it connect to to a SATA port on the PC or an eSATA port on the PC ?

Well, I don't know much about SATA yet, but it has an L shaped
connector slot on both ends of the included cable. That means SATA
iiuc, right?

BTW: When I use such a device, and remove a hard disk from an affected computer, and
place it on a different computer I will usually call the secondary computer a "surrogate"
PC.

Good to know.