reoccuring viruses

Well, we appear to be in a quite similar place despite a disagreement about
the advisibility of disabling SR prior to running a AV scan, or other
maintenance tasks.
In short, neither of us knows enough about programming to imagine how the
machine could be reinfected with a virus from the SR archive, or any other
store on the machine, unless a malevolent software agent remains to do such
restoration. Most of us here are agreed that such an agent is indeed a
"virus", and, in this case, the "virus" has not been "cleansed" by the AV
tool.

Please see my most recent posts to Mike Maltby and Rick T, where each
describes this exact situation, and with which I agree.
I think we, but not you, are agreed that there is no method by which the SR
archive, the registry backups, or other stores, can be used to reinfect,
UNLESS this external agent, aka, "memory-resident checker", "startup
vector", "bootstrap", or "tickler file" EXISTS even after AV scanning. This
is a failure of the AV tool, not a failure of the SR system tool.

You are unable to explain how this reinfection from the SR archive can ocurr
without such an external agent. We think it cannot, ... and, for that
reason, we think that disabling SR is ill-advised, esp. for any casual,
naive user who might be incapable of fixing the system later without the SR
tool and its previous archives.
To us, this position is most reasonable. A better AV tool is needed, not
the disabling of SR.


I especially thank you for your very courteous replies to me, and your
willingness to engage in this most interesting discussion.
I think any casual reader will learn a lot from this thread, both about the
technical details of SR and, perhaps more importantly, about how to engage
in a newsgroup discussion without devolving to any emotional, personal
attacks. As I said earlier, we hope to be civil here no matter how heated
any disagreements. Some of us here are less than ten years old, but we try
to act like "grownups" all the time.

Thank you for the fun, and ...
Till we meet again,
--
Jack E. Martinelli 2002-05 MS MVP for Shell/User / DTS
Help us help you: http://www.dts-L.org/goodpost.htm

http://www.microsoft.com/athome/secu...t/default.aspx
Your cooperation is very appreciated.
------
"oops!!" wrote in message
...

Jack,

Considering my admitted ignorance of how the reoccurrence works, it is
somewhat difficult to answer your queries.

Regarding the basic disagreement, perhaps you should question the MS-MVP's
that proclaim the same procedure.

They will, of course, be on the same level of discussion as you and will
certainly be much more "capable" of explaining it.

I do believe this orange has dried out.

A special thank you for your rational and "cold" approach.

Zee




"Jack E Martinelli" wrote in message
...
Thank you for your continued interest.
Please see my responses interleaved in the slightly rearranged lists
below:

--
Jack E. Martinelli 2002-05 MS MVP for Shell/User / DTS
Help us help you: http://www.dts-L.org/goodpost.htm

http://www.microsoft.com/athome/secu...t/default.aspx
Your cooperation is very appreciated.
------
"oops!!" wrote in message
...

Jack,

I had decided not to post again in this thread, but your comment tempted
me:

1. Somehow, I'm seeing some thoughts pointing a little bit towards my
ideas.
***** I am unclear as to what your are referring. I am interested in
continuing a rational discussion about this apparent disagreement.


3. I believe (and I have already done it) turning off SR before
cleansing/scanning is a workaround for that reoccurrence.
**** This is the object of this discussion.

4. I also agree, ME is no longer a target, XP will be.
***** I have no idea how this has entered the discussion. Can we discuss
this later?

5. The disagreement on turning off or not turning off SR before cleansing
will, of course, persist.
****** My intent here is to focus more intently on the apparent, detailed
issues of disagreement, with the notion that the disagreement may not
actually exist.

*****
*****
2. I don't know if the virus or malware is activated from within SR. But
there are some good ideas in these latest posts. The SR external trigger
is
interesting.
**** This is the crux of the matter!

Mr. Maltby wrote: " If the start up vector for a virus, or rather
malware,
since the most difficult to remove (pests) tend currently to be
commercial malware (latest versions of VX2, CWS etc), has been removed,
the
malware is dead, regardless of where it might be
located - wastebin, restore archive or system folder. If the startup
vector
remains, then the virus is still live. "

I agree with this perspective, and know of no exception under WinME.


What I would like to see from you next, Zee, is either:

1) a documented case of a virus activating from within the SR archive,
with
no external agent, i.e., a "startup vector", reactivating the virus;
2) a logical description of how, under current computer programming, this
might be accomplished for SR under WinME.


TIA for your careful consideration,

END of J E Martinelli response to this post. 2/02/2005


----------

"Jack E Martinelli" wrote in message
...
I can imagine a situation in which a piece of code, not in itself
malicious,
restores some bit of malware from a hidden file, in the SR archive or
not.
Reasonable people might disagree as to whether the first piece is
properly
called a "virus". IMO, it is properly deemed such, as it leads (can
lead)
to a malicious result. IOW, two, or more, separate pieces of code can
be
deemed a single "virus".
The failure of any AV tool to detect and remove all such code is a
"failure
to fully clean", IMO.
OTOH, failure to remove detected code from the SR archives is
irrelevant.
I think we agree about this.

However, Zee appears to think a virus in the SR archive can be
reactivated
on reboot without an external agent. I am not aware that this can be
done.
I think you agree also.

If I understand him, Zee admits to not knowing how this reactivation can
be
done. I am not sure that it has been reported that it can be done
anywhere
in these Millennium ng's. IMO, constant redetection of the virus in the
(uncleaned) SR archive does not constitute such a claim, since the
malware
cannot execute from there. Perhaps this is the source of the current
disagreement.

HTH,
--
Jack E. Martinelli 2002-05 MS MVP for Shell/User / DTS
Help us help you: http://www.dts-L.org/goodpost.htm

http://www.microsoft.com/athome/secu...t/default.aspx
Your cooperation is very appreciated.
------
"Mike M" wrote in message
...
I think you will be waiting for a long time Jack. None exist as the
moment and I doubt that any ever will for Win Me, being end of line,
although it is just possible that something might be designed for XP
HOWEVER the simple act of "reactivation" means that the system was
never
cleaned in the first place therefore once again system restore is
irrelevant to the problem.
--
Mike Maltby MS-MVP



Jack E Martinelli wrote:

I would be very interested in hearing from you, or anyone, about any
viruses which appear to reside ONLY in the SR archive, and which are
reactivated on reboot.

If so, then we can ask the spooks at one or more of the AV
organizations to tell us how the reactivation works.