A Windows 98 & ME forum. Win98banter

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Go Back   Home » Win98banter forum » Windows ME » Software & Applications
Site Map Home Authors List Search Today's Posts Mark Forums Read Web Partners

reoccuring viruses



 
 
Thread Tools Display Modes
  #61  
Old February 3rd 05, 03:07 PM
Jack E Martinelli
external usenet poster
 
Posts: n/a
Default

Well, we appear to be in a quite similar place despite a disagreement about
the advisibility of disabling SR prior to running a AV scan, or other
maintenance tasks.
In short, neither of us knows enough about programming to imagine how the
machine could be reinfected with a virus from the SR archive, or any other
store on the machine, unless a malevolent software agent remains to do such
restoration. Most of us here are agreed that such an agent is indeed a
"virus", and, in this case, the "virus" has not been "cleansed" by the AV
tool.

Please see my most recent posts to Mike Maltby and Rick T, where each
describes this exact situation, and with which I agree.
I think we, but not you, are agreed that there is no method by which the SR
archive, the registry backups, or other stores, can be used to reinfect,
UNLESS this external agent, aka, "memory-resident checker", "startup
vector", "bootstrap", or "tickler file" EXISTS even after AV scanning. This
is a failure of the AV tool, not a failure of the SR system tool.

You are unable to explain how this reinfection from the SR archive can ocurr
without such an external agent. We think it cannot, ... and, for that
reason, we think that disabling SR is ill-advised, esp. for any casual,
naive user who might be incapable of fixing the system later without the SR
tool and its previous archives.
To us, this position is most reasonable. A better AV tool is needed, not
the disabling of SR.


I especially thank you for your very courteous replies to me, and your
willingness to engage in this most interesting discussion.
I think any casual reader will learn a lot from this thread, both about the
technical details of SR and, perhaps more importantly, about how to engage
in a newsgroup discussion without devolving to any emotional, personal
attacks. As I said earlier, we hope to be civil here no matter how heated
any disagreements. Some of us here are less than ten years old, but we try
to act like "grownups" all the time.

Thank you for the fun, and ...
Till we meet again,
--
Jack E. Martinelli 2002-05 MS MVP for Shell/User / DTS
Help us help you: http://www.dts-L.org/goodpost.htm

http://www.microsoft.com/athome/secu...t/default.aspx
Your cooperation is very appreciated.
------
"oops!!" wrote in message
...

Jack,

Considering my admitted ignorance of how the reoccurrence works, it is
somewhat difficult to answer your queries.

Regarding the basic disagreement, perhaps you should question the MS-MVP's
that proclaim the same procedure.

They will, of course, be on the same level of discussion as you and will
certainly be much more "capable" of explaining it.

I do believe this orange has dried out.

A special thank you for your rational and "cold" approach.

Zee




"Jack E Martinelli" wrote in message
...
Thank you for your continued interest.
Please see my responses interleaved in the slightly rearranged lists

below:

--
Jack E. Martinelli 2002-05 MS MVP for Shell/User / DTS
Help us help you: http://www.dts-L.org/goodpost.htm

http://www.microsoft.com/athome/secu...t/default.aspx
Your cooperation is very appreciated.
------
"oops!!" wrote in message
...

Jack,

I had decided not to post again in this thread, but your comment tempted

me:

1. Somehow, I'm seeing some thoughts pointing a little bit towards my

ideas.
***** I am unclear as to what your are referring. I am interested in
continuing a rational discussion about this apparent disagreement.


3. I believe (and I have already done it) turning off SR before
cleansing/scanning is a workaround for that reoccurrence.
**** This is the object of this discussion.

4. I also agree, ME is no longer a target, XP will be.
***** I have no idea how this has entered the discussion. Can we discuss
this later?

5. The disagreement on turning off or not turning off SR before cleansing
will, of course, persist.
****** My intent here is to focus more intently on the apparent, detailed
issues of disagreement, with the notion that the disagreement may not
actually exist.

*****
*****
2. I don't know if the virus or malware is activated from within SR. But
there are some good ideas in these latest posts. The SR external trigger

is
interesting.
**** This is the crux of the matter!

Mr. Maltby wrote: " If the start up vector for a virus, or rather

malware,
since the most difficult to remove (pests) tend currently to be
commercial malware (latest versions of VX2, CWS etc), has been removed,

the
malware is dead, regardless of where it might be
located - wastebin, restore archive or system folder. If the startup

vector
remains, then the virus is still live. "

I agree with this perspective, and know of no exception under WinME.


What I would like to see from you next, Zee, is either:

1) a documented case of a virus activating from within the SR archive,

with
no external agent, i.e., a "startup vector", reactivating the virus;
2) a logical description of how, under current computer programming, this
might be accomplished for SR under WinME.


TIA for your careful consideration,

END of J E Martinelli response to this post. 2/02/2005


----------

"Jack E Martinelli" wrote in message
...
I can imagine a situation in which a piece of code, not in itself

malicious,
restores some bit of malware from a hidden file, in the SR archive or

not.
Reasonable people might disagree as to whether the first piece is

properly
called a "virus". IMO, it is properly deemed such, as it leads (can

lead)
to a malicious result. IOW, two, or more, separate pieces of code can

be
deemed a single "virus".
The failure of any AV tool to detect and remove all such code is a

"failure
to fully clean", IMO.
OTOH, failure to remove detected code from the SR archives is

irrelevant.
I think we agree about this.

However, Zee appears to think a virus in the SR archive can be

reactivated
on reboot without an external agent. I am not aware that this can be

done.
I think you agree also.

If I understand him, Zee admits to not knowing how this reactivation can

be
done. I am not sure that it has been reported that it can be done

anywhere
in these Millennium ng's. IMO, constant redetection of the virus in the
(uncleaned) SR archive does not constitute such a claim, since the

malware
cannot execute from there. Perhaps this is the source of the current
disagreement.

HTH,
--
Jack E. Martinelli 2002-05 MS MVP for Shell/User / DTS
Help us help you: http://www.dts-L.org/goodpost.htm

http://www.microsoft.com/athome/secu...t/default.aspx
Your cooperation is very appreciated.
------
"Mike M" wrote in message
...
I think you will be waiting for a long time Jack. None exist as the
moment and I doubt that any ever will for Win Me, being end of line,
although it is just possible that something might be designed for XP
HOWEVER the simple act of "reactivation" means that the system was

never
cleaned in the first place therefore once again system restore is
irrelevant to the problem.
--
Mike Maltby MS-MVP



Jack E Martinelli wrote:

I would be very interested in hearing from you, or anyone, about any
viruses which appear to reside ONLY in the SR archive, and which are
reactivated on reboot.

If so, then we can ask the spooks at one or more of the AV
organizations to tell us how the reactivation works.



  #62  
Old February 3rd 05, 03:09 PM
Jack E Martinelli
external usenet poster
 
Posts: n/a
Default

Please see my most recent response to Zee, where I mention your post here,
and with which I agree.

--
Jack E. Martinelli 2002-05 MS MVP for Shell/User / DTS
Help us help you: http://www.dts-L.org/goodpost.htm

http://www.microsoft.com/athome/secu...t/default.aspx
Your cooperation is very appreciated.
------
"Rick T" wrote in message
...
oops!! wrote:
Jack,

I had decided not to post again in this thread, but your comment tempted

me:

1. Somehow, I'm seeing some thoughts pointing a little bit towards my

ideas.

2. I don't know if the virus or malware is activated from within SR. But

there are some good ideas in these latest posts. The SR external trigger is
interesting.

3. I believe (and I have already done it) turning off SR before

cleansing/scanning is a workaround for that reoccurrence.

4. I also agree, ME is no longer a target, XP will be.

5. The disagreement on turning off or not turning off SR before

cleansing will, of course, persist.


Rick T. writes:

While not claiming to be an expert in such matters a couple things occur

to me...

If a virus is in the SR folders, it's not going to start unless either:

a) an external virus component retrieves it, or
b) SR retrieves it

"a" means your AV obviously hasn't done it's job since it's left behind
a bootstrap. Hopefully a more recent AV patch will take care of that.

"b" also means your AV hasn't done it's job since it hasn't been able to
convince SR that things are OK or set an SR point after cleansing.
Sounds like it's time for another AV.



Rick



  #63  
Old February 3rd 05, 03:21 PM
Jack E Martinelli
external usenet poster
 
Posts: n/a
Default

Please see my most recent reply to Zee, in which I mention your post here,
and with which I completely agree, despite my ignorance of any programming
skills which might address the disagreement.

Perhaps Zee will soon come to understand our agrument about the necessary
existence of the external agent for the reinfection to occur from the SR
archive, or elsewhere. Until this point, I suspect he has just imagined the
process as a "black box", for which cleansing the archive prevents
reinfection. The critical insight is that the "external agent" must be
included in the Startup axis. Our position is there is no "black box"; an
external agent must exist to reinfect, which has escaped the AV or spyware
tool. The tool has failed to clean the startup axis. A better AV tool is
needed, not the disabling of SR, in an attempt to clean the "virus".

Txs for your help, ... and patience,
--
Jack E. Martinelli 2002-05 MS MVP for Shell/User / DTS
Help us help you: http://www.dts-L.org/goodpost.htm

http://www.microsoft.com/athome/secu...t/default.aspx
Your cooperation is very appreciated.
------
"Mike M" wrote in message
...
1) a documented case of a virus activating from within the SR archive,
with no external agent, i.e., a "startup vector", reactivating the
virus;


Something which logically as well as practically is an impossibility. For
anything, malware or not, to be launched without user interaction requires
a startup vector or instruction in one of a limited number of places and
no part of the restore archive, Win Me or XP, is in that list which is
primarily but not exclusively registry orientated.

2) a logical description of how, under current computer programming,
this might be accomplished for SR under WinME.


You will have a long wait, Jack, for the same reasons.

In conclusion I pose a question. If a user considers that it is dangerous
to retain the system restore archive whilst cleansing a PC why not also
remove the various backed up copies of the registry in the
windows\sysbckup folder? As I have mentioned, those proposing the
clearing of the restore archive prior to cleansing should consider taking
a basic course in logic.
--
Mike Maltby MS-MVP



"Jack E Martinelli" wrote ...

Mr. Maltby wrote: " If the start up vector for a virus, or rather
malware,
since the most difficult to remove (pests) tend currently to be
commercial malware (latest versions of VX2, CWS etc), has been removed,
the
malware is dead, regardless of where it might be
located - wastebin, restore archive or system folder. If the startup
vector
remains, then the virus is still live. "

I agree with this perspective, and know of no exception under WinME.


What I would like to see from you next, Zee, is either:

1) a documented case of a virus activating from within the SR archive,
with
no external agent, i.e., a "startup vector", reactivating the virus;
2) a logical description of how, under current computer programming,
this
might be accomplished for SR under WinME.




 




Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
sluggish performance... Jeff General 3 October 25th 04 08:52 PM
Stubborn Viruses Mikey General 20 October 6th 04 11:59 AM
Viruses and missing DLL'S Peter L. Clarke General 1 July 17th 04 01:59 PM
What do viruses target? Steve Internet 2 July 15th 04 12:17 AM
Wont start past Checking memory for viruses OK Susan Improving Performance 2 June 19th 04 06:57 AM


All times are GMT +1. The time now is 06:51 AM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright ©2004-2024 Win98banter.
The comments are property of their posters.