reoccuring viruses

Jack,

Again, I have no knowledge of how it happens exactly, but do know how to =
avoid it, probably a better wording would be workaround it.

Again, we agree SR is extremely useful.

Again, we agree we disagree on the cleanup procedure.

Good enough for me.

Thank you for caring.

Cheers!

Zee




"Jack E Martinelli" wrote in message =
...
In this immediate case, I agree with Noel.
His "memory-resident checker" is what I called my "tickler file".
These possibly very hidden files, which restore the active mal-actor =
on
reboot, do not involve SR in any way.
=20
This conversation raises an interesting issue, however.
I suspect only Mike M may know the answer:
=20
Are there any non-MS, non-SR tools which could detect a potential =
virus in
one of the two SR file types, the *.CPY or the *.CAB files, and =
restore
(decompress) them to an active agent?
If so, I am not aware of any. That doesn't mean that some bad actor =
could
not invent or usurp some.
=20
What about it, Mike?
=20
However, Zee, your described situation does not necessarily implicate =
any SR
infected files in the virus restoration axis, IMO.
It is more likely consistent with my "tickler file", aka, Noel's
"memory-resident checker" file.
--=20
Jack E. Martinelli 2002-05 MS MVP for Shell/User / DTS
Help us help you: http://www.dts-L.org/goodpost.htm
=20
http://www.microsoft.com/athome/secu...t/default.aspx
Your cooperation is very appreciated.
------
"oops!!" wrote in message
...

I have no problems admitting my ignorance of how that malware works.

However I do not ignore the steps necessary to reach the cure in an
effective and predictable way.

Something that many people consider slightly more important.

Zee




"Mike M" wrote in message
...
Clearly ignorance is showing its head here Noel. Before =
condemning
system
restore Zee ought to learn a little about viruses and the =
mechanisms
they
use. Until he looks at the problem logically, something he =
appears to
have failed to do to date, and carefully considers and understands =
the
consequences to the end user of disabling system restore and then
(accidentally) trashing their system whilst attempting to rid =
their
system
of malware there is little point in continuing.
--=20
Mike Maltby MS-MVP



Noel Paton wrote:

That is pure bull - the fact is that there is a memory-resident
checker present, which reinstalls the infection on the
shutdown/restart cycle - it has NOTHING WHATEVER to do with =
System
Restore, unless you actually use SR to restore the system.



=20

I would be very interested in hearing from you, or anyone, about any viruses
which appear to reside ONLY in the SR archive, and which are reactivated on
reboot.

If so, then we can ask the spooks at one or more of the AV organizations to
tell us how the reactivation works.
--
Jack E. Martinelli 2002-05 MS MVP for Shell/User / DTS
Help us help you: http://www.dts-L.org/goodpost.htm

http://www.microsoft.com/athome/secu...t/default.aspx
Your cooperation is very appreciated.
------
"oops!!" wrote in message
...

Jack,

Again, I have no knowledge of how it happens exactly, but do know how to
avoid it, probably a better wording would be workaround it.

Again, we agree SR is extremely useful.

Again, we agree we disagree on the cleanup procedure.

Good enough for me.

Thank you for caring.

Cheers!

Zee




"Jack E Martinelli" wrote in message
...
In this immediate case, I agree with Noel.
His "memory-resident checker" is what I called my "tickler file".
These possibly very hidden files, which restore the active mal-actor on
reboot, do not involve SR in any way.

This conversation raises an interesting issue, however.
I suspect only Mike M may know the answer:

Are there any non-MS, non-SR tools which could detect a potential virus
in
one of the two SR file types, the *.CPY or the *.CAB files, and restore
(decompress) them to an active agent?
If so, I am not aware of any. That doesn't mean that some bad actor could
not invent or usurp some.

What about it, Mike?

However, Zee, your described situation does not necessarily implicate any
SR
infected files in the virus restoration axis, IMO.
It is more likely consistent with my "tickler file", aka, Noel's
"memory-resident checker" file.
--
Jack E. Martinelli 2002-05 MS MVP for Shell/User / DTS
Help us help you: http://www.dts-L.org/goodpost.htm

http://www.microsoft.com/athome/secu...t/default.aspx
Your cooperation is very appreciated.
------
"oops!!" wrote in message
...

I have no problems admitting my ignorance of how that malware works.

However I do not ignore the steps necessary to reach the cure in an
effective and predictable way.

Something that many people consider slightly more important.

Zee




"Mike M" wrote in message
...
Clearly ignorance is showing its head here Noel. Before condemning
system
restore Zee ought to learn a little about viruses and the mechanisms
they
use. Until he looks at the problem logically, something he appears to
have failed to do to date, and carefully considers and understands the
consequences to the end user of disabling system restore and then
(accidentally) trashing their system whilst attempting to rid their
system
of malware there is little point in continuing.
--
Mike Maltby MS-MVP



Noel Paton wrote:

That is pure bull - the fact is that there is a memory-resident
checker present, which reinstalls the infection on the
shutdown/restart cycle - it has NOTHING WHATEVER to do with System
Restore, unless you actually use SR to restore the system.

I think you will be waiting for a long time Jack. None exist as the
moment and I doubt that any ever will for Win Me, being end of line,
although it is just possible that something might be designed for XP
HOWEVER the simple act of "reactivation" means that the system was never
cleaned in the first place therefore once again system restore is
irrelevant to the problem.
--
Mike Maltby MS-MVP



Jack E Martinelli wrote:

I would be very interested in hearing from you, or anyone, about any
viruses which appear to reside ONLY in the SR archive, and which are
reactivated on reboot.

If so, then we can ask the spooks at one or more of the AV
organizations to tell us how the reactivation works.

I can imagine a situation in which a piece of code, not in itself malicious,
restores some bit of malware from a hidden file, in the SR archive or not.
Reasonable people might disagree as to whether the first piece is properly
called a "virus". IMO, it is properly deemed such, as it leads (can lead)
to a malicious result. IOW, two, or more, separate pieces of code can be
deemed a single "virus".
The failure of any AV tool to detect and remove all such code is a "failure
to fully clean", IMO.
OTOH, failure to remove detected code from the SR archives is irrelevant.
I think we agree about this.

However, Zee appears to think a virus in the SR archive can be reactivated
on reboot without an external agent. I am not aware that this can be done.
I think you agree also.

If I understand him, Zee admits to not knowing how this reactivation can be
done. I am not sure that it has been reported that it can be done anywhere
in these Millennium ng's. IMO, constant redetection of the virus in the
(uncleaned) SR archive does not constitute such a claim, since the malware
cannot execute from there. Perhaps this is the source of the current
disagreement.

HTH,
--
Jack E. Martinelli 2002-05 MS MVP for Shell/User / DTS
Help us help you: http://www.dts-L.org/goodpost.htm

http://www.microsoft.com/athome/secu...t/default.aspx
Your cooperation is very appreciated.
------
"Mike M" wrote in message
...
I think you will be waiting for a long time Jack. None exist as the
moment and I doubt that any ever will for Win Me, being end of line,
although it is just possible that something might be designed for XP
HOWEVER the simple act of "reactivation" means that the system was never
cleaned in the first place therefore once again system restore is
irrelevant to the problem.
--
Mike Maltby MS-MVP



Jack E Martinelli wrote:

I would be very interested in hearing from you, or anyone, about any
viruses which appear to reside ONLY in the SR archive, and which are
reactivated on reboot.

If so, then we can ask the spooks at one or more of the AV
organizations to tell us how the reactivation works.

However, Zee appears to think a virus in the SR archive can be
reactivated on reboot without an external agent.

I feel that Zee would benefit from taking a basic course in logic since
what he suggests is quite illogical. If the start up vector for a virus,
or rather malware since the most difficult to remove tend currently to be
commercial malware (latest versions of VX2, CWS etc), has been removed the
malware is dead regardless of where it might be located - wastebin,
restore archive or system folder. If the startup vector remains then the
virus is still live.

As is it Zee is doing is propagating ill-informed rumour as fact and thus
potentially encouraging a user to cause as much damage to a their system
as any virus.
--
Mike Maltby MS-MVP



Jack E Martinelli wrote:

I can imagine a situation in which a piece of code, not in itself
malicious, restores some bit of malware from a hidden file, in the SR
archive or not. Reasonable people might disagree as to whether the
first piece is properly called a "virus". IMO, it is properly deemed
such, as it leads (can lead) to a malicious result. IOW, two, or
more, separate pieces of code can be deemed a single "virus".
The failure of any AV tool to detect and remove all such code is a
"failure to fully clean", IMO.
OTOH, failure to remove detected code from the SR archives is
irrelevant. I think we agree about this.

However, Zee appears to think a virus in the SR archive can be
reactivated on reboot without an external agent. I am not aware that
this can be done. I think you agree also.

If I understand him, Zee admits to not knowing how this reactivation
can be done. I am not sure that it has been reported that it can be
done anywhere in these Millennium ng's. IMO, constant redetection of
the virus in the (uncleaned) SR archive does not constitute such a
claim, since the malware cannot execute from there. Perhaps this is
the source of the current disagreement.

Jack,

I had decided not to post again in this thread, but your comment tempted =
me:

1. Somehow, I'm seeing some thoughts pointing a little bit towards my =
ideas.

2. I don't know if the virus or malware is activated from within SR. But =
there are some good ideas in these latest posts. The SR external trigger =
is interesting.

3. I believe (and I have already done it) turning off SR before =
cleansing/scanning is a workaround for that reoccurrence.

4. I also agree, ME is no longer a target, XP will be.

5. The disagreement on turning off or not turning off SR before =
cleansing will, of course, persist.

Zee





"Jack E Martinelli" wrote in message =
...
I can imagine a situation in which a piece of code, not in itself =
malicious,
restores some bit of malware from a hidden file, in the SR archive or =
not.
Reasonable people might disagree as to whether the first piece is =
properly
called a "virus". IMO, it is properly deemed such, as it leads (can =
lead)
to a malicious result. IOW, two, or more, separate pieces of code can =
be
deemed a single "virus".
The failure of any AV tool to detect and remove all such code is a =
"failure
to fully clean", IMO.
OTOH, failure to remove detected code from the SR archives is =
irrelevant.
I think we agree about this.
=20
However, Zee appears to think a virus in the SR archive can be =
reactivated
on reboot without an external agent. I am not aware that this can be =
done.
I think you agree also.
=20
If I understand him, Zee admits to not knowing how this reactivation =
can be
done. I am not sure that it has been reported that it can be done =
anywhere
in these Millennium ng's. IMO, constant redetection of the virus in =
the
(uncleaned) SR archive does not constitute such a claim, since the =
malware
cannot execute from there. Perhaps this is the source of the current
disagreement.
=20
HTH,
--=20
Jack E. Martinelli 2002-05 MS MVP for Shell/User / DTS
Help us help you: http://www.dts-L.org/goodpost.htm
=20
http://www.microsoft.com/athome/secu...t/default.aspx
Your cooperation is very appreciated.
------
"Mike M" wrote in message
...
I think you will be waiting for a long time Jack. None exist as the
moment and I doubt that any ever will for Win Me, being end of line,
although it is just possible that something might be designed for XP
HOWEVER the simple act of "reactivation" means that the system was =
never
cleaned in the first place therefore once again system restore is
irrelevant to the problem.
--=20
Mike Maltby MS-MVP



Jack E Martinelli wrote:

I would be very interested in hearing from you, or anyone, about =
any
viruses which appear to reside ONLY in the SR archive, and which =
are
reactivated on reboot.

If so, then we can ask the spooks at one or more of the AV
organizations to tell us how the reactivation works.

=20

Thank you for your continued interest.
Please see my responses interleaved in the slightly rearranged lists below:

--
Jack E. Martinelli 2002-05 MS MVP for Shell/User / DTS
Help us help you: http://www.dts-L.org/goodpost.htm

http://www.microsoft.com/athome/secu...t/default.aspx
Your cooperation is very appreciated.
------
"oops!!" wrote in message
...

Jack,

I had decided not to post again in this thread, but your comment tempted me:

1. Somehow, I'm seeing some thoughts pointing a little bit towards my ideas.
***** I am unclear as to what your are referring. I am interested in
continuing a rational discussion about this apparent disagreement.


3. I believe (and I have already done it) turning off SR before
cleansing/scanning is a workaround for that reoccurrence.
**** This is the object of this discussion.

4. I also agree, ME is no longer a target, XP will be.
***** I have no idea how this has entered the discussion. Can we discuss
this later?

5. The disagreement on turning off or not turning off SR before cleansing
will, of course, persist.
****** My intent here is to focus more intently on the apparent, detailed
issues of disagreement, with the notion that the disagreement may not
actually exist.

*****
*****
2. I don't know if the virus or malware is activated from within SR. But
there are some good ideas in these latest posts. The SR external trigger is
interesting.
**** This is the crux of the matter!

Mr. Maltby wrote: " If the start up vector for a virus, or rather malware,
since the most difficult to remove (pests) tend currently to be
commercial malware (latest versions of VX2, CWS etc), has been removed, the
malware is dead, regardless of where it might be
located - wastebin, restore archive or system folder. If the startup vector
remains, then the virus is still live. "

I agree with this perspective, and know of no exception under WinME.


What I would like to see from you next, Zee, is either:

1) a documented case of a virus activating from within the SR archive, with
no external agent, i.e., a "startup vector", reactivating the virus;
2) a logical description of how, under current computer programming, this
might be accomplished for SR under WinME.


TIA for your careful consideration,

END of J E Martinelli response to this post. 2/02/2005


----------

"Jack E Martinelli" wrote in message
...
I can imagine a situation in which a piece of code, not in itself
malicious,
restores some bit of malware from a hidden file, in the SR archive or not.
Reasonable people might disagree as to whether the first piece is properly
called a "virus". IMO, it is properly deemed such, as it leads (can lead)
to a malicious result. IOW, two, or more, separate pieces of code can be
deemed a single "virus".
The failure of any AV tool to detect and remove all such code is a
"failure
to fully clean", IMO.
OTOH, failure to remove detected code from the SR archives is irrelevant.
I think we agree about this.

However, Zee appears to think a virus in the SR archive can be reactivated
on reboot without an external agent. I am not aware that this can be
done.
I think you agree also.

If I understand him, Zee admits to not knowing how this reactivation can
be
done. I am not sure that it has been reported that it can be done
anywhere
in these Millennium ng's. IMO, constant redetection of the virus in the
(uncleaned) SR archive does not constitute such a claim, since the malware
cannot execute from there. Perhaps this is the source of the current
disagreement.

HTH,
--
Jack E. Martinelli 2002-05 MS MVP for Shell/User / DTS
Help us help you: http://www.dts-L.org/goodpost.htm

http://www.microsoft.com/athome/secu...t/default.aspx
Your cooperation is very appreciated.
------
"Mike M" wrote in message
...
I think you will be waiting for a long time Jack. None exist as the
moment and I doubt that any ever will for Win Me, being end of line,
although it is just possible that something might be designed for XP
HOWEVER the simple act of "reactivation" means that the system was never
cleaned in the first place therefore once again system restore is
irrelevant to the problem.
--
Mike Maltby MS-MVP



Jack E Martinelli wrote:

I would be very interested in hearing from you, or anyone, about any
viruses which appear to reside ONLY in the SR archive, and which are
reactivated on reboot.

If so, then we can ask the spooks at one or more of the AV
organizations to tell us how the reactivation works.

Jack,

Considering my admitted ignorance of how the reoccurrence works, it is =
somewhat difficult to answer your queries.

Regarding the basic disagreement, perhaps you should question the =
MS-MVP's that proclaim the same procedure.

They will, of course, be on the same level of discussion as you and will =
certainly be much more "capable" of explaining it.

I do believe this orange has dried out.

A special thank you for your rational and "cold" approach.

Zee




"Jack E Martinelli" wrote in message =
...
Thank you for your continued interest.
Please see my responses interleaved in the slightly rearranged lists =
below:
=20
--=20
Jack E. Martinelli 2002-05 MS MVP for Shell/User / DTS
Help us help you: http://www.dts-L.org/goodpost.htm
=20
http://www.microsoft.com/athome/secu...t/default.aspx
Your cooperation is very appreciated.
------
"oops!!" wrote in message
...
=20
Jack,
=20
I had decided not to post again in this thread, but your comment =
tempted me:
=20
1. Somehow, I'm seeing some thoughts pointing a little bit towards my =
ideas.
***** I am unclear as to what your are referring. I am interested in
continuing a rational discussion about this apparent disagreement.
=20
=20
3. I believe (and I have already done it) turning off SR before
cleansing/scanning is a workaround for that reoccurrence.
**** This is the object of this discussion.
=20
4. I also agree, ME is no longer a target, XP will be.
***** I have no idea how this has entered the discussion. Can we =
discuss
this later?
=20
5. The disagreement on turning off or not turning off SR before =
cleansing
will, of course, persist.
****** My intent here is to focus more intently on the apparent, =
detailed
issues of disagreement, with the notion that the disagreement may not
actually exist.
=20
*****
*****
2. I don't know if the virus or malware is activated from within SR. =
But
there are some good ideas in these latest posts. The SR external =
trigger is
interesting.
**** This is the crux of the matter!
=20
Mr. Maltby wrote: " If the start up vector for a virus, or rather =
malware,
since the most difficult to remove (pests) tend currently to be
commercial malware (latest versions of VX2, CWS etc), has been =
removed, the
malware is dead, regardless of where it might be
located - wastebin, restore archive or system folder. If the startup =
vector
remains, then the virus is still live. "
=20
I agree with this perspective, and know of no exception under WinME.
=20
=20
What I would like to see from you next, Zee, is either:
=20
1) a documented case of a virus activating from within the SR archive, =
with
no external agent, i.e., a "startup vector", reactivating the virus;
2) a logical description of how, under current computer programming, =
this
might be accomplished for SR under WinME.
=20
=20
TIA for your careful consideration,
=20
END of J E Martinelli response to this post. 2/02/2005
=20
=20
----------
=20
"Jack E Martinelli" wrote in message
...
I can imagine a situation in which a piece of code, not in itself
malicious,
restores some bit of malware from a hidden file, in the SR archive =
or not.
Reasonable people might disagree as to whether the first piece is =
properly
called a "virus". IMO, it is properly deemed such, as it leads (can =
lead)
to a malicious result. IOW, two, or more, separate pieces of code =
can be
deemed a single "virus".
The failure of any AV tool to detect and remove all such code is a
"failure
to fully clean", IMO.
OTOH, failure to remove detected code from the SR archives is =
irrelevant.
I think we agree about this.

However, Zee appears to think a virus in the SR archive can be =
reactivated
on reboot without an external agent. I am not aware that this can =
be
done.
I think you agree also.

If I understand him, Zee admits to not knowing how this reactivation =
can
be
done. I am not sure that it has been reported that it can be done
anywhere
in these Millennium ng's. IMO, constant redetection of the virus in =
the
(uncleaned) SR archive does not constitute such a claim, since the =
malware
cannot execute from there. Perhaps this is the source of the =
current
disagreement.

HTH,
--=20
Jack E. Martinelli 2002-05 MS MVP for Shell/User / DTS
Help us help you: http://www.dts-L.org/goodpost.htm

http://www.microsoft.com/athome/secu...t/default.aspx
Your cooperation is very appreciated.
------
"Mike M" wrote in message
...
I think you will be waiting for a long time Jack. None exist as =
the
moment and I doubt that any ever will for Win Me, being end of =
line,
although it is just possible that something might be designed for =
XP
HOWEVER the simple act of "reactivation" means that the system was =
never
cleaned in the first place therefore once again system restore is
irrelevant to the problem.
--=20
Mike Maltby MS-MVP



Jack E Martinelli wrote:

I would be very interested in hearing from you, or anyone, about =
any
viruses which appear to reside ONLY in the SR archive, and which =
are
reactivated on reboot.

If so, then we can ask the spooks at one or more of the AV
organizations to tell us how the reactivation works.



=20

1) a documented case of a virus activating from within the SR archive,
with no external agent, i.e., a "startup vector", reactivating the
virus;

Something which logically as well as practically is an impossibility. For
anything, malware or not, to be launched without user interaction requires
a startup vector or instruction in one of a limited number of places and
no part of the restore archive, Win Me or XP, is in that list which is
primarily but not exclusively registry orientated.

2) a logical description of how, under current computer programming,
this might be accomplished for SR under WinME.

You will have a long wait Jack for the same reasons.

In conclusion I pose a question. If a user considers that it is dangerous
to retain the system restore archive whilst cleansing a PC why not also
remove the various backed up copies of the registry in the
windows\sysbckup folder? As I have mentioned, those proposing the
clearing of the restore archive prior to cleansing should consider taking
a basic course in logic.
--
Mike Maltby MS-MVP



"Jack E Martinelli" wrote ...

Mr. Maltby wrote: " If the start up vector for a virus, or rather
malware,
since the most difficult to remove (pests) tend currently to be
commercial malware (latest versions of VX2, CWS etc), has been removed,
the
malware is dead, regardless of where it might be
located - wastebin, restore archive or system folder. If the startup
vector
remains, then the virus is still live. "

I agree with this perspective, and know of no exception under WinME.


What I would like to see from you next, Zee, is either:

1) a documented case of a virus activating from within the SR archive,
with
no external agent, i.e., a "startup vector", reactivating the virus;
2) a logical description of how, under current computer programming,
this
might be accomplished for SR under WinME.

oops!! wrote:
Jack,

I had decided not to post again in this thread, but your comment tempted me:

1. Somehow, I'm seeing some thoughts pointing a little bit towards my ideas.

2. I don't know if the virus or malware is activated from within SR. But there are some good ideas in these latest posts. The SR external trigger is interesting.

3. I believe (and I have already done it) turning off SR before cleansing/scanning is a workaround for that reoccurrence.

4. I also agree, ME is no longer a target, XP will be.

5. The disagreement on turning off or not turning off SR before cleansing will, of course, persist.

While not claiming to be an expert in such matters a couple things occur
to me...

If a virus is in the SR folders, it's not going to start unless either:

a) an external virus component retrieves it, or
b) SR retrieves it

"a" means your AV obviously hasn't done it's job since it's left behind
a bootstrap. Hopefully a more recent AV patch will take care of that.

"b" also means your AV hasn't done it's job since it hasn't been able to
convince SR that things are OK or set an SR point after cleansing.
Sounds like it's time for another AV.



Rick