Do I have a virus?

Discussion in 'Virus Information' started by Øyvind Granberg, Nov 9, 2008.

  1. Øyvind Granberg

    ~BD~ Guest

    ~BD~, Nov 12, 2008
    1. Advertisements

  2. Øyvind Granberg

    ~BD~ Guest

    Thank you for explaining in more detail, FTR. :))

    I've subsequently spent much time today 'Googling' - and learning new

    Now I'm wondering if there is some way that I could read the 'instructions'
    stored in the EEPROM - BIOS chip in my previous vocabulary (!). Perhaps you
    will advise if this is possible and, if so, just how I may do so.

    I really do appreciate you helping me to understand these matters. Thanks


    ~BD~, Nov 12, 2008
    1. Advertisements

  3. Øyvind Granberg

    ~BD~ Guest

    Might not the required malicious code be introduced to a machine via a
    'set-up' CD (or even a floppy disk) which has been 'doctored' shall I say?
    Or maybe a programme deliberately and conciously downloaded and installed by
    the user, albeit unwittingly?

    I note your precision, Pete - and I unreservedly apologise for my doubts.
    I'm sorry and trust you will forgive me.

    I have been trying to remember if I have ever seen folk visiting 'help'
    forums being given 'advice' on cleaning data which is *not* on their hard

    I must have seen reference to clearing the CMOS because I can remember
    carrying out the instructions set out here (or similar!)

    It is quite some time since I've done so - I ended up scraping my previous
    machine because I was convinced that a 'gremlin' remained within it!

    Indeed it seems so! Now I feel somewhat foolish. :(

    I accept that Pete's statement is correct.

    I confess, though, that I am not sure what was/is meant by "bringing back
    any programs from outside of the known good media". Further advice would be

    From what you have said (and reading between the lines for me!) all the work
    carried out to 'clean' a hard disk *could* be rendered useless if action is
    not taken to flash the EEPROM as well.

    A question though. If a machine is infected in this way, is it not possible
    that in trying to use same to obtain replacement BIOS information,
    redirection to a 'spoof' site might occur? Would you recommend obtaining the
    up-to-date BIOS details from a known clean machine? (i.e. not use the
    infected machine at all).

    I'm not sure if you meant this as a serious question but, as a start, it
    could be mentioned by all the 'resident' advisers here on the Microsoft
    security newsgroups (folk like Robear Dyer, David H Lipman, Malke and Frank
    Saunders - to name a few) at the time when they recommend folk visit the
    'expert' forums.

    My expertise in code-breaking has lapsed somewhat, Pete. Will you share with
    me the significance of your signature block? ;)

    Bless you


    ~BD~, Nov 12, 2008
  4. Øyvind Granberg

    1PW Guest

    Unreservedly, yes. Healthy skepticism is your best friend at this
    point. A good technician would have vetted their own tools before using
    them on a client's system.
    Healthy doubts are your best ally. No apology is required at all.
    Now, replace that feeling with the knowledge that you've gained. FTR,
    David H. Lipman, Malke and others are a wonderful source of knowledge
    and experience.
    The statement is slightly inaccurate. Anything brought back to the
    subject PC must be done /through/ known good media. All reasonable
    steps must be taken to vet the process. MD5 checksums are certainly one
    of them. Re-installing from the provider's media is another. "Here
    there be dragons!"
    Perhaps this step can be bypassed if an investigation shows that the
    infection(s) was/were limited to the hard disk drive(s).

    Your point is not lost on me. However, the bad guy must have written
    effective code and that code needs to accomplishes many clever things.

    This would need to be done with practical knowledge of /that/
    system's architecture and BIOS and/or CMOS. Very challenging indeed.
    The manufacturer's site is probably the best source. The extra benefit
    might be an updated BIOS.
    They hide their candles. Amongst our peers they *are* our experts.
    Now that you are one of the experts, you may contribute from a point of
    experience and authority.
    The "From" address is ROT13 encoded and the one a few lines above is a
    ROT47 encode. Both are meant to increase the degree of difficulty for
    harvesters and are an email address I use to divert scams and phishing
    messages to. However, I do check it frequently for content.
    Peace be with you Dave.
    1PW, Nov 13, 2008
  5. Yeah, chances are if such a method were used it would be for a very
    specific target.
    ....but because it is only *most* and not *all*, TPM becomes necessary.
    Anything worth doing, is worth doing right.
    (I didn't say that - someone else did, maybe it was that Greek fella ~
    Thanks, and with you as well.
    FromTheRafters, Nov 13, 2008
  6. I confess, though, that I am not sure what was/is meant by "bringing back
    He basically stipulated that the rebuild part was done without malware.
    He defined what wasn't being put back on (malware) by stating that
    what *was* being put back on was indeed clean (known good).

    Your favorite gizmos, gadgets, widgets, and gewgaws probably are
    not on the known good installation media. You want them back, so
    you get them from your backups -- it's "here be dragons" time.

    No, not useless - just incomplete. Would you be satisfied if the procedure
    only disabled the malware? Or if it only removed some of it? How about
    if it completely removes it but does nothing to correct whatever corruption
    the malware caused? To me, I would want a flatten and rebuild to get me
    back to a normal state - no ifs ands or buts. Most people have just been
    ignoring the off disk code being loaded during boot because it has always
    been assumed there is not enough room for any meaningful code to hide
    there. Now the 'room' is expanding and it appears the meaningful code
    can be made smaller - or rather the scope of 'meaningful' has shrunk.
    The affected machine shouldn't be on a network of any kind.
    Contact the manufacturer(s) of the motherboard (or otherboards) to
    get the firmware reflashed with the correct code.

    Is this guaranteed 100% malware free you ask??

    Interesting point - if it never happened, they wouldn't need to do this:

    Whisper it in the streets...if you shout it from the rooftops they'll put
    you in the loony-bin.

    (My apology in advance to anyone with a loony second ex-great
    stepuncle-in-law twice removed who gets offended by my statement)

    FromTheRafters, Nov 13, 2008
  7. [snippers gone wild]

    "On 11/12/2008 03:19 PM, ~BD~ sent:

    Yes, but this is where flatten and rebuild *instead* of using malware
    detection and removal tools - fails.

    Hypothetical situation.

    1) I've got 'I don't know what' malware on my system.
    2) I'm told 'flatten and rebuild' is the expedient and only 100% sure way.
    3) Been there - done that - but now when I boot it freezes with a very
    colorful ribbon pattern on the screen just after POST.
    FromTheRafters, Nov 13, 2008
  8. From: "FromTheRafters" <>

    Please stop engaging this troll. You are only filling his head with ideas he does NOT

    He has already replied to a DNSChanger trojan post with...
    "My subsequent discussions now lead me to believe that one needs to clear the
    CMOS and probably flash the BIOS too if one wants to be sure of a clean

    Pure FUD.
    David H. Lipman, Nov 13, 2008
  9. You're welcome.
    It is possible - I don't know exactly how. But just like the MBR,
    it is far easier to just overwrite it than it is to inspect it to determine
    if it is authentic.
    FromTheRafters, Nov 13, 2008
  10. Sorry, I guess it *is* a little like handing a kid a loaded gun.
    FromTheRafters, Nov 13, 2008
  11. OK, this thread has been going for a while so I guess the big question is
    "Is there a definitive procedure(s) for getting rid of malware? I guess the
    answer is no!

    Bill Ridgeway
    Bill Ridgeway, Nov 13, 2008
  12. Sure, use the tools available to identify the culprit, follow the manual
    removal instructions for the identified malware.

    For those items where there is no identification or removal instructions,
    use the methods (or similar) outlined in the video:

    Advanced Malware Removal
    -Mark Russinovich
    Down near the bottom.
    FromTheRafters, Nov 14, 2008
  13. Øyvind Granberg

    ~BD~ Guest

    I'd love to be able to watch the video, especially as it features Mark
    Russinovich (with whom I worked directly, by email, trying to identify a
    rootkit on my previous machine. It was over two years ago, before he joined

    However, I'm told "Microsoft Silverlight is not supported on your computer.
    Your CPU does not support the SSE instruction set which is required by

    1.20 gigahertz AMD Athlon
    128 kilobyte primary memory cache
    256 kilobyte secondary memory cache

    Am I alone in this regard? Will someone please explain? Is there an
    alternative way to view? In anticipation ....... Thank you!


    ~BD~, Nov 14, 2008
  14. Øyvind Granberg

    ~BD~ Guest

    I've no recollection of ever experiencing 3) FTR!

    Perhaps that's something to which I may look forward? ;)


    ~BD~, Nov 14, 2008
  15. Advanced Malware Removal
    I looked around the first time you asked, didn't find anything except
    the PowerPoint presentation slides he used in the video. :eek:(

    It's like a wish sandwich - bread but no meat - without the speaker.

    Go to another computer, like in a public library (if you're not banned)
    ....and view it there. It is not a short video, so be prepared.
    FromTheRafters, Nov 14, 2008
  16. Øyvind Granberg

    ~BD~ Guest

    I very much appreciate that, FTR - thank you!

    Good idea. Another thank you!

    I did spend some time looking for and reading about 'the SSE instruction
    set'. My conclusion was that it's high time I invested in a new machine. ;)


    ~BD~, Nov 14, 2008
  17. Øyvind Granberg

    RJK Guest

    Hello David,

    I'm having my speech synthesizer read out this entire thread, and thought
    you might like to know that I have chosen a "helium" voice for ~BD~ :)

    ....just kidding !

    regards, Richard
    RJK, Nov 14, 2008
    up rooted Snow Bunny, Jan 29, 2009
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.