Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   NZ Computing (http://www.velocityreviews.com/forums/f47-nz-computing.html)
-   -   Malware and a 'hidden' partition? (http://www.velocityreviews.com/forums/t710193-malware-and-a-hidden-partition.html)

~misfit~ 12-30-2009 12:43 AM

Malware and a 'hidden' partition?
 
Eeek! What a lot of posts! Seems like a couple people here could use RL
friends.

Anyway, yesterday and today I've been re-installing XP on the neighbours
laptop AGAIN as the teenager girl to whom it belongs can't seem to use it
for a day without getting infected. 74 infections this time. Both last month
and this month I've just wiped it ("are my songs and stuff still there?"
Ha!) and reinstalled.

Last month I installed MS Security Essentials (previous to that I'd put AVG
free on it). When I got it bak yesterday they'd put a trial version of
Antivir that would point out infections but not remove them. It was
literally impossible to do anything without a warning popping up.

So I've reinstalled XP again, using a bunch of my bandwidth to update it...
I've also installed MS-SE, AVG Free and Malwarebyte's Anti-Malware but I
fear that it's all going to be pointless. (I could have done what I"ve tried
before, pout th HDD in an external enclosure and scan it from a
'sacrificial' computer, then repair XP but frankly I'm sick of this. I don't
get paid, I get little gifts now and then, a tray of eggs the other week, a
flower arrangement at Xmas...)

So to the question: I've used Acronis to image the HDD and have set a 7GB
partition after the OS partition and put the image file of the clean install
there. (Then uninstalled Acronis. They didn't pay for it...) I've then
removed the drive letter in computer management so that it doesn't show up
and the only way to access it again in Windows is to assign it a letter
again.

What are the chances of it staying un-infected? I'm pretty sure that I'm
going to get this machine back again in the not-too-distant-future and it
would be nice to be able to boot from an Acronis CD and simply restore it.

Thanks for any input. (I'm keeping a copy of the image myself anyway but I
find that I have images of most people's computers that I've 'fixed up' and
I don't even know which ones I need to keep anymore... (It's not like I'm
going to invite 'work' by asking folks if they still own the computer in
question.)

Again, TIA...
--
Cheers,
Shaun.

"Give a man a fire and he's warm for the day. But set fire to him and he's
warm for the rest of his life." Terry Pratchet, 'Jingo'.



Simon 12-30-2009 08:09 AM

Re: Malware and a 'hidden' partition?
 
On Dec 30, 1:43*pm, "~misfit~" <sore_n_ha...@yahoo-nospam.com.au>
wrote:

> Thanks for any input. (I'm keeping a copy of the image myself anyway but I
> find that I have images of most people's computers that I've 'fixed up' and
> I don't even know which ones I need to keep anymore... (It's not like I'm
> going to invite 'work' by asking folks if they still own the computer in
> question.)


Given what you've outlined above, I'd say the chances are extremely
high that she'll re-infect the machine.

IMO there's not easy technical solution, aside from addressing the
layer-8 cause. Are you able to work out what sites she's visiting
regularly that are causing the infection? Or perhaps she's downloading
software?

From a personal perspective, I have been known to become ultra-
paranoid and start using a VM to browse the net, reverting back to a
saved image when closed. I don't know how useful or appropriate that
would be in the current situation though.

~misfit~ 12-30-2009 08:22 AM

Re: Malware and a 'hidden' partition?
 
Somewhere on teh intarwebs Simon wrote:
> On Dec 30, 1:43 pm, "~misfit~" <sore_n_ha...@yahoo-nospam.com.au>
> wrote:
>
>> Thanks for any input. (I'm keeping a copy of the image myself anyway
>> but I find that I have images of most people's computers that I've
>> 'fixed up' and I don't even know which ones I need to keep
>> anymore... (It's not like I'm going to invite 'work' by asking folks
>> if they still own the computer in question.)

>
> Given what you've outlined above, I'd say the chances are extremely
> high that she'll re-infect the machine.


Yeah, I agree. Even with AVG's 'linkscanner' (that I usually disable on my
own machines) I think she'll reinfect it. Hell, it only took three weeks to
go from pristine to unusable last time.

When I took it back today her father put his hand in his pocket and asked
what he owed. I told him nothing this time (I'm on an invalid's benefit
anyway) but if it happens again it'll cost, not him but his daughter. He
said thanks muchly and that she doesn't have a source of money other than
him anyway (she's at school).

> IMO there's not easy technical solution, aside from addressing the
> layer-8 cause. Are you able to work out what sites she's visiting
> regularly that are causing the infection? Or perhaps she's downloading
> software?


I couldn't tell. It was unusable with the trail of Antivir throwing up
warning windows on top of warning wondows every time I moved the mouse.

> From a personal perspective, I have been known to become ultra-
> paranoid and start using a VM to browse the net, reverting back to a
> saved image when closed. I don't know how useful or appropriate that
> would be in the current situation though.


Not very really. Hopefully the image on the 'hidden' partition stays clean
and I'll just give them an Acronis boot CD if I get asked again and tell
them how to do it.
--
Cheers,
Shaun.

"Give a man a fire and he's warm for the day. But set fire to him and he's
warm for the rest of his life." Terry Pratchet, 'Jingo'.



~misfit~ 12-30-2009 08:27 AM

Re: Malware and a 'hidden' partition?
 
Somewhere on teh intarwebs whoisthis wrote:
> In article <hhe7ng$lbl$1@news.eternal-september.org>,
> "~misfit~" <sore_n_happy@yahoo-nospam.com.au> wrote:

[snip]
>> What are the chances of it staying un-infected? I'm pretty sure that
>> I'm going to get this machine back again in the
>> not-too-distant-future and it would be nice to be able to boot from
>> an Acronis CD and simply restore it.
>>
>> Thanks for any input. (I'm keeping a copy of the image myself anyway
>> but I find that I have images of most people's computers that I've
>> 'fixed up' and I don't even know which ones I need to keep
>> anymore... (It's not like I'm going to invite 'work' by asking folks
>> if they still own the computer in question.)
>>
>> Again, TIA...

>
> What about setting the DNS to OpenDNS or some such so that the malware
> sites will simply be harder to get to...


Honestly, that's above my pay-grade. (Read: I'm not that smart. <g>) I'm
hoping that AVG linkscanner will shut her down from bad sites. I didn't
install it last time, just MS-SE.

> Does she have Admin rights...?


Yeah. That was a mistake, I know. I didn't think about it until after
dropping it off. I just naturally install XP like that on my own machines. I
suppose that if it comes back soon I can restore and change that? It's
something I've never tried. Would it make much difference do you think? I
might go and change it anyway if you think it would. However, wouldn't that
stop her installing stuff on her own machine?
--
Cheers,
Shaun.

"Give a man a fire and he's warm for the day. But set fire to him and he's
warm for the rest of his life." Terry Pratchet, 'Jingo'.



peterwn 12-30-2009 09:50 AM

Re: Malware and a 'hidden' partition?
 
On Dec 30, 1:43*pm, "~misfit~" <sore_n_ha...@yahoo-nospam.com.au>
wrote:

>
> So to the question: I've used Acronis to image the HDD and have set a 7GB
> partition after the OS partition and put the image file of the clean install
> there. (Then uninstalled Acronis. They didn't pay for it...) I've then
> removed the drive letter in computer management so that it doesn't show up
> and the only way to access it again in Windows is to assign it a letter
> again.
>
> What are the chances of it staying un-infected?


Dunno, but there is a way to keep it uninfected. Use partimage on the
System Rescue CD to save and restore the Windows partition. Format
the 7GB partition as a Linux ext3 partition. Windows will leave it
alone (unless special drivers are installed).

Peter Huebner 12-30-2009 12:04 PM

Re: Malware and a 'hidden' partition?
 
In article <hhe7ng$lbl$1@news.eternal-september.org>,
sore_n_happy@yahoo-nospam.com.au says...
> So I've reinstalled XP again, using a bunch of my bandwidth to update it...
> I've also installed MS-SE, AVG Free and Malwarebyte's Anti-Malware but I
> fear that it's all going to be pointless. (I could have done what I"ve tried
> before, pout th HDD in an external enclosure and scan it from a
> 'sacrificial' computer, then repair XP but frankly I'm sick of this. I don't
> get paid, I get little gifts now and then, a tray of eggs the other week, a
> flower arrangement at Xmas...)


Hey Shaun, I am currently running the combo of avast! on access scanner
and Sunbelt/Kerio firewall, and that makes for one tough security combo.

Nothing gets installed without my giving approval explicitly, and at
times even that is not enough .... I actually had to turn both firewall
and avast! off in order to get a certain game to patch correctly earlier
this month, the patch simply could not get access to registry nor touch
services ;-)

Of course, who knows what that kid does when nobody is watching. If she
opens any attachment her mates send her and downloads malware executable
files and runs them and god knows what -- I'm sure you know the old
chestnut about making things 'foolproof'. There's so much social
engineering going on that I can just see a 14 year old girl falling for.

Anyway, wishing you a happy new year and all that ;) -P.


Mary Hanna 12-30-2009 09:34 PM

Re: Malware and a 'hidden' partition?
 
On Thu, 31 Dec 2009 01:04:07 +1300, Peter Huebner <no.one@this.address> wrote:

>In article <hhe7ng$lbl$1@news.eternal-september.org>,
>sore_n_happy@yahoo-nospam.com.au says...
>> So I've reinstalled XP again, using a bunch of my bandwidth to update it...
>> I've also installed MS-SE, AVG Free and Malwarebyte's Anti-Malware but I
>> fear that it's all going to be pointless. (I could have done what I"ve tried
>> before, pout th HDD in an external enclosure and scan it from a
>> 'sacrificial' computer, then repair XP but frankly I'm sick of this. I don't
>> get paid, I get little gifts now and then, a tray of eggs the other week, a
>> flower arrangement at Xmas...)

>
>Hey Shaun, I am currently running the combo of avast! on access scanner
>and Sunbelt/Kerio firewall, and that makes for one tough security combo.
>
>Nothing gets installed without my giving approval explicitly, and at
>times even that is not enough .... I actually had to turn both firewall
>and avast! off in order to get a certain game to patch correctly earlier
>this month, the patch simply could not get access to registry nor touch
>services ;-)
>
>Of course, who knows what that kid does when nobody is watching. If she
>opens any attachment her mates send her and downloads malware executable
>files and runs them and god knows what -- I'm sure you know the old
>chestnut about making things 'foolproof'. There's so much social
>engineering going on that I can just see a 14 year old girl falling for.
>
>Anyway, wishing you a happy new year and all that ;) -P.




No one in his right mind would trust in AVG Free and Malwarebyte's
Anti-Malware..


bugalugs 12-31-2009 12:42 AM

Re: Malware and a 'hidden' partition?
 
Mary Hanna wrote:
> On Thu, 31 Dec 2009 01:04:07 +1300, Peter Huebner <no.one@this.address> wrote:
>
>> In article <hhe7ng$lbl$1@news.eternal-september.org>,
>> sore_n_happy@yahoo-nospam.com.au says...
>>> So I've reinstalled XP again, using a bunch of my bandwidth to update it...
>>> I've also installed MS-SE, AVG Free and Malwarebyte's Anti-Malware but I
>>> fear that it's all going to be pointless. (I could have done what I"ve tried
>>> before, pout th HDD in an external enclosure and scan it from a
>>> 'sacrificial' computer, then repair XP but frankly I'm sick of this. I don't
>>> get paid, I get little gifts now and then, a tray of eggs the other week, a
>>> flower arrangement at Xmas...)

>> Hey Shaun, I am currently running the combo of avast! on access scanner
>> and Sunbelt/Kerio firewall, and that makes for one tough security combo.
>>
>> Nothing gets installed without my giving approval explicitly, and at
>> times even that is not enough .... I actually had to turn both firewall
>> and avast! off in order to get a certain game to patch correctly earlier
>> this month, the patch simply could not get access to registry nor touch
>> services ;-)
>>
>> Of course, who knows what that kid does when nobody is watching. If she
>> opens any attachment her mates send her and downloads malware executable
>> files and runs them and god knows what -- I'm sure you know the old
>> chestnut about making things 'foolproof'. There's so much social
>> engineering going on that I can just see a 14 year old girl falling for.
>>
>> Anyway, wishing you a happy new year and all that ;) -P.

>
>
>
> No one in his right mind would trust in AVG Free and Malwarebyte's
> Anti-Malware..
>


And why would that be ??

~misfit~ 12-31-2009 12:47 AM

Re: Malware and a 'hidden' partition?
 
Somewhere on teh intarwebs peterwn wrote:
> On Dec 30, 1:43 pm, "~misfit~" <sore_n_ha...@yahoo-nospam.com.au>
> wrote:
>
>>
>> So to the question: I've used Acronis to image the HDD and have set
>> a 7GB partition after the OS partition and put the image file of the
>> clean install there. (Then uninstalled Acronis. They didn't pay for
>> it...) I've then removed the drive letter in computer management so
>> that it doesn't show up and the only way to access it again in
>> Windows is to assign it a letter again.
>>
>> What are the chances of it staying un-infected?

>
> Dunno, but there is a way to keep it uninfected. Use partimage on the
> System Rescue CD to save and restore the Windows partition. Format
> the 7GB partition as a Linux ext3 partition. Windows will leave it
> alone (unless special drivers are installed).


Interesting, thanks Peter.
--
Shaun.

"Give a man a fire and he's warm for the day. But set fire to him and he's
warm for the rest of his life." Terry Pratchet, 'Jingo'.



Nighthawk 12-31-2009 12:50 AM

Re: Malware and a 'hidden' partition?
 
On Wed, 30 Dec 2009 13:43:24 +1300, "~misfit~"
<sore_n_happy@yahoo-nospam.com.au> wrote:

>Eeek! What a lot of posts! Seems like a couple people here could use RL
>friends.
>
>Anyway, yesterday and today I've been re-installing XP on the neighbours
>laptop AGAIN as the teenager girl to whom it belongs can't seem to use it
>for a day without getting infected. 74 infections this time. Both last month
>and this month I've just wiped it ("are my songs and stuff still there?"
>Ha!) and reinstalled.
>
>Last month I installed MS Security Essentials (previous to that I'd put AVG
>free on it). When I got it bak yesterday they'd put a trial version of
>Antivir that would point out infections but not remove them. It was
>literally impossible to do anything without a warning popping up.
>
>So I've reinstalled XP again, using a bunch of my bandwidth to update it...
>I've also installed MS-SE, AVG Free and Malwarebyte's Anti-Malware but I
>fear that it's all going to be pointless. (I could have done what I"ve tried
>before, pout th HDD in an external enclosure and scan it from a
>'sacrificial' computer, then repair XP but frankly I'm sick of this. I don't
>get paid, I get little gifts now and then, a tray of eggs the other week, a
>flower arrangement at Xmas...)
>
>So to the question: I've used Acronis to image the HDD and have set a 7GB
>partition after the OS partition and put the image file of the clean install
>there. (Then uninstalled Acronis. They didn't pay for it...) I've then
>removed the drive letter in computer management so that it doesn't show up
>and the only way to access it again in Windows is to assign it a letter
>again.
>
>What are the chances of it staying un-infected? I'm pretty sure that I'm
>going to get this machine back again in the not-too-distant-future and it
>would be nice to be able to boot from an Acronis CD and simply restore it.
>
>Thanks for any input. (I'm keeping a copy of the image myself anyway but I
>find that I have images of most people's computers that I've 'fixed up' and
>I don't even know which ones I need to keep anymore... (It's not like I'm
>going to invite 'work' by asking folks if they still own the computer in
>question.)
>
>Again, TIA...


I have an older version of Acronis True Image here. In it, under
Tools, there is Manage True Image Secure Zone, which creates a
partition which only True Image can access. No other programme can
access this partition except True Image. True Image can put all
backups in that partition which can be accessed (and created) by the
bootable version of True Image.

http://www.acronis.com/resource/solu...cure-zone.html



All times are GMT. The time now is 01:18 AM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.