Does anyone recognize this?

Discussion in 'Computer Security' started by pokee@shaw.ca, May 26, 2005.

  1. Guest

    I just reformatted my hard drive - so my PC is ultra-clean.

    BUT - now when I start up my PC, after my wireless network connection
    is established, my internet explorer starts up and tries to connect to
    this website (with no luck I might add):

    http://www.freewebs.com/jodaaa/happy.html

    There is nothing in Startup to cause this (all that is in my startup is
    Norton Internet Security, Antivirus, and Wireless Network Utility).

    Can anyone guess what may be happening here? It's not affecting
    anything on my PC, so I am not too worried. It's just pissing me off!

    Thanks!
    Paula
     
    , May 26, 2005
    #1
    1. Advertising

  2. Winged Guest

    wrote:
    > I just reformatted my hard drive - so my PC is ultra-clean.
    >
    > BUT - now when I start up my PC, after my wireless network connection
    > is established, my internet explorer starts up and tries to connect to
    > this website (with no luck I might add):
    >
    > http://www.freewebs.com/jodaaa/happy.html
    >
    > There is nothing in Startup to cause this (all that is in my startup is
    > Norton Internet Security, Antivirus, and Wireless Network Utility).
    >
    > Can anyone guess what may be happening here? It's not affecting
    > anything on my PC, so I am not too worried. It's just pissing me off!
    >
    > Thanks!
    > Paula
    >



    I have to question what software you reloaded that recompromised the
    machine. I suspect it is some innocent game you downloaded from the
    web. I would suspect anything I downloaded about the time the issues
    started.

    Winged
     
    Winged, May 26, 2005
    #2
    1. Advertising

  3. Guest

    I just connected to the net to download updates to my Norton Internet
    Security/Antivirus software - and that's when the problem started.

    I've just run adaware and spybot, re-scanned my PC for viruses, and the

    problem still exists.

    I have a feeling I am just going to have to re-format again - for the
    millionth time. Dell tells me that this could reduce the life of my
    hard drive. This is getting really frustrating.

    Is there a methodology I should be using after
    re-fromatting/re-installing windows that will protect me better? The
    first thing I do is install anti-virus software - but that requires
    connecting to the internet for updates. It's kind of a catch-22...what

    should I do?

    Thanks for your advice.
    Paula
     
    , May 26, 2005
    #3
  4. Ken Ward Guest

    On 25 May 2005 17:34:11 -0700, wrote:

    >I just reformatted my hard drive - so my PC is ultra-clean.
    >
    >BUT - now when I start up my PC, after my wireless network connection
    >is established, my internet explorer starts up and tries to connect to
    >this website (with no luck I might add):
    >
    >http://www.freewebs.com/jodaaa/happy.html
    >
    >There is nothing in Startup to cause this (all that is in my startup is
    >Norton Internet Security, Antivirus, and Wireless Network Utility).
    >
    >Can anyone guess what may be happening here? It's not affecting
    >anything on my PC, so I am not too worried. It's just pissing me off!
    >
    >Thanks!
    >Paula

    Try BHODemon from www.definitivesolutions.com to see what Browser
    Helper Objects you have. Also try Process Explorer from
    www.sysinternals.com to see what is connected to your wireless network
    and explorer at the time.
     
    Ken Ward, May 26, 2005
    #4
  5. nemo_outis Guest

    wrote in news:1117087646.954856.23100
    @z14g2000cwz.googlegroups.com:

    > I just connected to the net to download updates to my Norton Internet
    > Security/Antivirus software - and that's when the problem started.
    >
    > I've just run adaware and spybot, re-scanned my PC for viruses, and the
    >
    > problem still exists.
    >
    > I have a feeling I am just going to have to re-format again - for the
    > millionth time. Dell tells me that this could reduce the life of my
    > hard drive. This is getting really frustrating.
    >
    > Is there a methodology I should be using after
    > re-fromatting/re-installing windows that will protect me better? The
    > first thing I do is install anti-virus software - but that requires
    > connecting to the internet for updates. It's kind of a catch-22...what
    >
    > should I do?
    >
    > Thanks for your advice.
    > Paula



    To minimize the amount of work I suggest the following.


    1. Reformat the entire drive. But that's not enough. I suggest you
    also repartition it and restore the MBR (e.g., with fdisk).
    Alternatively - and better - do a "manufacturer's level reformat" (using
    software available from Western Dignital, Maxtor, Hitahi, seagate, etc.
    as the case may be.)

    2. Reformat the disk (and repartiton it, etc.)

    3. Install just the OS from known-good sources (e.g., original Windows
    CDs)

    4. Install Ghost (or Acronis, etc.) from known-good sources (or even
    use a diskette or CD-based version that doesn't require installation).
    Backup the HD as an image.

    5. Install your most trustworthy programs from known-good sources
    (e.g., MS Office from CDs)

    6. Backup entire HD with Ghost, Acronis, etc. (incremental backup
    shpould suffice).

    7. Install second-tier (less trustworthy) software. Backup with Ghost
    as per step 6.

    8. Repeat steps 7 & 6 in stages adding a few more programs, confirming
    the system is clean, and backup. Repeat until all is well and system is
    fully up. If you encounter problems at any point, roll back to a
    previous working disk image.

    I know this seems tedious (and it is) but the idea of regular incremental
    image backups is something you should be doing anyway and this ill be a
    baptim of fire in that discipline :)

    Regards,
     
    nemo_outis, May 26, 2005
    #5
  6. donnie Guest

    On 25 May 2005 23:07:26 -0700, wrote:

    >I have a feeling I am just going to have to re-format again - for the
    >millionth time.

    ################################
    A reformat is the last resort in my book but for some reason, many
    times it's the first thing that's recommended. I call it 'hospital
    thinking'. Right away the doctors want to operate.
    donnie.
     
    donnie, May 26, 2005
    #6
  7. From: "nemo_outis" <>


    |
    | To minimize the amount of work I suggest the following.
    |
    | 1. Reformat the entire drive. But that's not enough. I suggest you
    | also repartition it and restore the MBR (e.g., with fdisk).
    | Alternatively - and better - do a "manufacturer's level reformat" (using
    | software available from Western Dignital, Maxtor, Hitahi, seagate, etc.
    | as the case may be.)
    |
    | 2. Reformat the disk (and repartiton it, etc.)
    |
    | 3. Install just the OS from known-good sources (e.g., original Windows
    | CDs)
    |
    | 4. Install Ghost (or Acronis, etc.) from known-good sources (or even
    | use a diskette or CD-based version that doesn't require installation).
    | Backup the HD as an image.
    |
    | 5. Install your most trustworthy programs from known-good sources
    | (e.g., MS Office from CDs)
    |
    | 6. Backup entire HD with Ghost, Acronis, etc. (incremental backup
    | shpould suffice).
    |
    | 7. Install second-tier (less trustworthy) software. Backup with Ghost
    | as per step 6.
    |
    | 8. Repeat steps 7 & 6 in stages adding a few more programs, confirming
    | the system is clean, and backup. Repeat until all is well and system is
    | fully up. If you encounter problems at any point, roll back to a
    | previous working disk image.
    |
    | I know this seems tedious (and it is) but the idea of regular incremental
    | image backups is something you should be doing anyway and this ill be a
    | baptim of fire in that discipline :)
    |
    | Regards,
    |

    There is really no "low level format" of ATAPI/EIDE hard disks. The term "zero fill" the
    drive (writing "zero" to all areas of the hard disk). However, there is no indication of a
    Boot Sector Infector, just adware/spyware and a "fdisk /mbr" and "zero fill" of the hard
    disk is unwarranted. Just deleting the partition and recreating the partition then a high
    level format of the drive is needed.

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    http://www.ik-cs.com/got-a-virus.htm
     
    David H. Lipman, May 26, 2005
    #7
  8. From: "donnie" <>

    | On 25 May 2005 23:07:26 -0700, wrote:
    |
    >> I have a feeling I am just going to have to re-format again - for the
    >> millionth time.

    | ################################
    | A reformat is the last resort in my book but for some reason, many
    | times it's the first thing that's recommended. I call it 'hospital
    | thinking'. Right away the doctors want to operate.
    | donnie.

    Ditto Donnie !

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    http://www.ik-cs.com/got-a-virus.htm
     
    David H. Lipman, May 26, 2005
    #8
  9. nemo_outis Guest

    "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
    news:3Nlle.4624$3u3.1133@trnddc07:

    > From: "nemo_outis" <>
    >
    >
    >|
    >| To minimize the amount of work I suggest the following.
    >|
    >| 1. Reformat the entire drive. But that's not enough. I suggest
    >| you also repartition it and restore the MBR (e.g., with fdisk).
    >| Alternatively - and better - do a "manufacturer's level reformat"
    >| (using software available from Western Dignital, Maxtor, Hitahi,
    >| seagate, etc. as the case may be.)
    >|
    >| 2. Reformat the disk (and repartiton it, etc.)
    >|
    >| 3. Install just the OS from known-good sources (e.g., original
    >| Windows CDs)
    >|
    >| 4. Install Ghost (or Acronis, etc.) from known-good sources (or
    >| even use a diskette or CD-based version that doesn't require
    >| installation). Backup the HD as an image.
    >|
    >| 5. Install your most trustworthy programs from known-good sources
    >| (e.g., MS Office from CDs)
    >|
    >| 6. Backup entire HD with Ghost, Acronis, etc. (incremental backup
    >| shpould suffice).
    >|
    >| 7. Install second-tier (less trustworthy) software. Backup with
    >| Ghost as per step 6.
    >|
    >| 8. Repeat steps 7 & 6 in stages adding a few more programs,
    >| confirming the system is clean, and backup. Repeat until all is well
    >| and system is fully up. If you encounter problems at any point, roll
    >| back to a previous working disk image.
    >|
    >| I know this seems tedious (and it is) but the idea of regular
    >| incremental image backups is something you should be doing anyway and
    >| this ill be a baptim of fire in that discipline :)
    >|
    >| Regards,
    >|
    >
    > There is really no "low level format" of ATAPI/EIDE hard disks. The
    > term "zero fill" the drive (writing "zero" to all areas of the hard
    > disk). However, there is no indication of a Boot Sector Infector,
    > just adware/spyware and a "fdisk /mbr" and "zero fill" of the hard
    > disk is unwarranted. Just deleting the partition and recreating the
    > partition then a high level format of the drive is needed.
    >




    I outlined two courses of action: the conventional reformat, and the
    "manufacturer's reformat." I did this purposefully and fully aware of
    the possibilities and limitations of each. And, yes, as a review of my
    previous posts will show, I'm well aware that a "manufacturer's level
    reformat" using its publicly available software isn't equivalent to a
    factory reformat (e.g., laying down servo tracks, etc.) but it does
    zeroize all data on the drive.

    No evidence of a boot sector infector? Maybe not, but that hardly seems
    conclusive. The fellow with the problem seems unable to identify the
    source of his problem or even to eliminate specific categories.
    Accordingly, it would be just plain prudent and sensible, if one goes to
    the trouble of reformatting a drive, to do it thoroughly. And that is
    why I would strongly recommend using the manufacturer's program (e.g.,
    Powerblast for Maxtor, Drive Fitness Test for Hitachi/IBM, etc.).
    Moreover, I mentioned these programs because many are not aware that such
    manufacturer's software is available.

    Regards,
     
    nemo_outis, May 26, 2005
    #9
  10. SimpleSimon Guest

    <> wrote in message
    news:...
    >I just reformatted my hard drive - so my PC is ultra-clean.
    >
    > BUT - now when I start up my PC, after my wireless network connection
    > is established, my internet explorer starts up and tries to connect to
    > this website (with no luck I might add):
    >
    > http://www.freewebs.com/jodaaa/happy.html
    >
    > There is nothing in Startup to cause this (all that is in my startup is
    > Norton Internet Security, Antivirus, and Wireless Network Utility).
    >
    > Can anyone guess what may be happening here? It's not affecting
    > anything on my PC, so I am not too worried. It's just pissing me off!
    >
    > Thanks!
    > Paula
    >

    You dont say what OS you are running. But assuming it to be a recent MS
    product I would suggest running msconfig from the run command. When this
    opens choose the Diagnostic Startup from the general tab and then OK it and
    follow the instructions to reboot. This will bring the PC up in minimal
    mode. if IE then doesnt run then you know that one of the system stratup
    files is causing your problems. It is then a case of choosing Selective
    Startup from msconfig and only choosing one of the entries at a time to find
    out which file is causing you the problem. At that stage I think another
    post to this group would be in order.

    Simon
     
    SimpleSimon, May 26, 2005
    #10
  11. From: "Winged" <>


    | Afraid I agree with Nemo on this one. There are compromises that can be
    | made on a drive that a repartition and high level format don't fix,
    | Worse no standard tools available can readily detect them. I have run
    | into this issue some time ago on scsi drives and it can really be very
    | difficult to identify. If I remember right that problem was caused by
    | running untrusted code that was downloaded as advertised as a server
    | security tool.
    |
    | Winged


    OK, Show me the writeup on infector.

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    http://www.ik-cs.com/got-a-virus.htm
     
    David H. Lipman, May 27, 2005
    #11
  12. Winged Guest

    nemo_outis wrote:
    > "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in
    > news:3Nlle.4624$3u3.1133@trnddc07:
    >
    >
    >>From: "nemo_outis" <>
    >>
    >>
    >>|
    >>| To minimize the amount of work I suggest the following.
    >>|
    >>| 1. Reformat the entire drive. But that's not enough. I suggest
    >>| you also repartition it and restore the MBR (e.g., with fdisk).
    >>| Alternatively - and better - do a "manufacturer's level reformat"
    >>| (using software available from Western Dignital, Maxtor, Hitahi,
    >>| seagate, etc. as the case may be.)
    >>|
    >>| 2. Reformat the disk (and repartiton it, etc.)
    >>|
    >>| 3. Install just the OS from known-good sources (e.g., original
    >>| Windows CDs)
    >>|
    >>| 4. Install Ghost (or Acronis, etc.) from known-good sources (or
    >>| even use a diskette or CD-based version that doesn't require
    >>| installation). Backup the HD as an image.
    >>|
    >>| 5. Install your most trustworthy programs from known-good sources
    >>| (e.g., MS Office from CDs)
    >>|
    >>| 6. Backup entire HD with Ghost, Acronis, etc. (incremental backup
    >>| shpould suffice).
    >>|
    >>| 7. Install second-tier (less trustworthy) software. Backup with
    >>| Ghost as per step 6.
    >>|
    >>| 8. Repeat steps 7 & 6 in stages adding a few more programs,
    >>| confirming the system is clean, and backup. Repeat until all is well
    >>| and system is fully up. If you encounter problems at any point, roll
    >>| back to a previous working disk image.
    >>|
    >>| I know this seems tedious (and it is) but the idea of regular
    >>| incremental image backups is something you should be doing anyway and
    >>| this ill be a baptim of fire in that discipline :)
    >>|
    >>| Regards,
    >>|
    >>
    >>There is really no "low level format" of ATAPI/EIDE hard disks. The
    >>term "zero fill" the drive (writing "zero" to all areas of the hard
    >>disk). However, there is no indication of a Boot Sector Infector,
    >>just adware/spyware and a "fdisk /mbr" and "zero fill" of the hard
    >>disk is unwarranted. Just deleting the partition and recreating the
    >>partition then a high level format of the drive is needed.
    >>

    >
    >
    >
    >
    > I outlined two courses of action: the conventional reformat, and the
    > "manufacturer's reformat." I did this purposefully and fully aware of
    > the possibilities and limitations of each. And, yes, as a review of my
    > previous posts will show, I'm well aware that a "manufacturer's level
    > reformat" using its publicly available software isn't equivalent to a
    > factory reformat (e.g., laying down servo tracks, etc.) but it does
    > zeroize all data on the drive.
    >
    > No evidence of a boot sector infector? Maybe not, but that hardly seems
    > conclusive. The fellow with the problem seems unable to identify the
    > source of his problem or even to eliminate specific categories.
    > Accordingly, it would be just plain prudent and sensible, if one goes to
    > the trouble of reformatting a drive, to do it thoroughly. And that is
    > why I would strongly recommend using the manufacturer's program (e.g.,
    > Powerblast for Maxtor, Drive Fitness Test for Hitachi/IBM, etc.).
    > Moreover, I mentioned these programs because many are not aware that such
    > manufacturer's software is available.
    >
    > Regards,
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >

    Afraid I agree with Nemo on this one. There are compromises that can be
    made on a drive that a repartition and high level format don't fix,
    Worse no standard tools available can readily detect them. I have run
    into this issue some time ago on scsi drives and it can really be very
    difficult to identify. If I remember right that problem was caused by
    running untrusted code that was downloaded as advertised as a server
    security tool.

    Winged
     
    Winged, May 27, 2005
    #12
  13. Winged Guest

    David H. Lipman wrote:
    > From: "Winged" <>
    >
    >
    > | Afraid I agree with Nemo on this one. There are compromises that can be
    > | made on a drive that a repartition and high level format don't fix,
    > | Worse no standard tools available can readily detect them. I have run
    > | into this issue some time ago on scsi drives and it can really be very
    > | difficult to identify. If I remember right that problem was caused by
    > | running untrusted code that was downloaded as advertised as a server
    > | security tool.
    > |
    > | Winged
    >
    >
    > OK, Show me the writeup on infector.
    >

    If I remember right it was a boot sector virus. There were a number of
    these once upon a time and fdisk and format would not remove the virus.

    I believe it was because of these type viruses that Bios boot sector
    protection was added years ago to systems. My memory at this point
    can't remember which reticular threat it was but it could not be fixed
    using the protected floppy fdisk /MBR method for fixing the Master boot
    record. When one did just the fdisk then format c: /s method the virus
    was still virulent on the system. Back in mid to late 80s there were a
    number of these critters running around.

    With many of these bugs you could use a protected floppy then fix the
    MBR of the disk, however if you did this procedure with one (and if I
    remember right there were several) that actually encrypted the first
    portion of the MBR and destroyed the data on the disk. With this type
    of virus fdisk the format was ineffective. You should be able to find
    information on this type of virus. No modern system should have an
    issue with this as most bios now have mbr virus protections (and
    hopefully) on.

    Winged
     
    Winged, May 27, 2005
    #13
  14. From: "Winged" <>

    | David H. Lipman wrote:
    >> From: "Winged" <>
    >>

    |>> Afraid I agree with Nemo on this one. There are compromises that can be
    |>> made on a drive that a repartition and high level format don't fix,
    |>> Worse no standard tools available can readily detect them. I have run
    |>> into this issue some time ago on scsi drives and it can really be very
    |>> difficult to identify. If I remember right that problem was caused by
    |>> running untrusted code that was downloaded as advertised as a server
    |>> security tool.
    |>>
    |>> Winged
    >>
    >> OK, Show me the writeup on infector.
    >>

    | If I remember right it was a boot sector virus. There were a number of
    | these once upon a time and fdisk and format would not remove the virus.
    |
    | I believe it was because of these type viruses that Bios boot sector
    | protection was added years ago to systems. My memory at this point
    | can't remember which reticular threat it was but it could not be fixed
    | using the protected floppy fdisk /MBR method for fixing the Master boot
    | record. When one did just the fdisk then format c: /s method the virus
    | was still virulent on the system. Back in mid to late 80s there were a
    | number of these critters running around.
    |
    | With many of these bugs you could use a protected floppy then fix the
    | MBR of the disk, however if you did this procedure with one (and if I
    | remember right there were several) that actually encrypted the first
    | portion of the MBR and destroyed the data on the disk. With this type
    | of virus fdisk the format was ineffective. You should be able to find
    | information on this type of virus. No modern system should have an
    | issue with this as most bios now have mbr virus protections (and
    | hopefully) on.
    |
    | Winged

    Like I said in the beginning, "...there is no indication of a Boot Sector Infector...".

    I remember them well; The Form and NYB were often seen and you know where many came from ?
    CSC ! Many old floppies our users had, had them. Often coming directly from CSC.

    Almost years ago I had an interesting problem. It was a workstation style 486 PC. It had
    "quirks" and it needed to wiped and the OS re-installed. No matter what I would do, it
    would not boot off a clean floppy disk. Finally I figured that if I allowed the POST to see
    hard disk and begin the boot, I removed the IDE cable from the hard disk and the PC booted
    from the floppy disk. When I was at a DOS prompt, I reconnected the IDE cable and I was
    able to access the "C:" drive. I ran Mcafee BootScan and I cleaned two Boot Sector
    Infectors. I was then able to wipe the hard disk, format and reinstall the OS.

    So getting back to the subject matter, Paula indicated "I just reformatted my hard drive".
    If it was a Boot Sector Infector Paula would have not been able to format the hard disk and
    would have been asking for help on hard disk problems.

    Paula reinstalled the OS and and in the process visited a web site or installed software
    that infected her with parasitical adware/spyware.

    What Nemo suggested was overkill.

    When there are Boot Sector Infectors, I now suggest the affected person visit Invircible and
    follow the instructions for Zvi Netiv's IVINIT --
    http://www.invircible.com/iv_tools.php#Ivinit

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    http://www.ik-cs.com/got-a-virus.htm
     
    David H. Lipman, May 27, 2005
    #14
  15. Ashp Guest

    David H. Lipman wrote:

    > What Nemo suggested was overkill.


    I think she should degauss the drive. :)

    Ash.
     
    Ashp, May 27, 2005
    #15
  16. nemo_outis Guest

    Ok, heads up all, including (especially) sysadmins:

    I'm going to reveal one of my magician's tricks. And like all magician's
    tricks it will seem really simple once you know it (but a deep mystery
    otherwise). So don't scoff at its simplicity (I've **never** met a
    sysadmin who realized the implications of this, although some were dimly
    aware of it in terms of Dell, etc. having a "special" area on the HD).

    This method is one of the chief hidey-holes I use for rootkits (but it
    can be used to hide a lot of other things). I'm not going to reveal how
    to use it for a rootkit, but I am going to disclose the underlying
    mechanisms and a magnificent (but dangerous!) tool for dealing with them.

    The key buzzword (buzzphrase?) is "host protected area," abbreviated as
    HPA.

    What is it? It's an area of the HD that is not accessible (or even
    detectable) by ordinary operating systems or applications or even by many
    low-grade forensic tools. High-grade forensic tools (e.g., Encase) WILL
    detect it, however.

    In a nutshell, you can send a very-low-level command to an ATA drive to
    cause it to permanently (until you change it again) under-report its size
    to the BIOS, operating system, etc. The remaining area is inaccessible
    by any OS (except using the little-known and less-used direct ATA command
    set). Some manufacturers (Dell, Compaq) sometimes use this area and
    some Gigabyte motherboards support a variant where they clone a whole
    boot partition there!

    So, your 32 Gb drive reports to any OS (and even the BIOS) that it is,
    say, a 31.5 Gb drive (you can make the hidden area any size, even a very
    large size, but it's unwise to be too greedy). The hidden .5 Gb can then
    be used to store data (in some cases, rootkit files!).

    Now that you know the principle, I'll give you the real gem, the tool to
    manipulate this with. (Warning: This tool is very powerful and you can
    blitz not just one drive but multiple drives if you mishandle it!)

    The tool is MHDD and it is available (free!) at:

    http://mhddsoftware.com/

    Have fun, but be careful - it's easy to trash your drive(s)!

    Regards,

    PS Now you know why I recommended using manufacturers' low-level
    zeroizing software. And that's why I posted this as a followup in this
    thread. But be warned: not all manufacturers' zeroizing software will
    overwrite the HPA. Use MHDD - but use it carefully!

    PPS Some BIOSs now do support the HPA (i.e., make it visible/changeable)

    PPPS You can even password-protect the HPA!
     
    nemo_outis, May 28, 2005
    #16
  17. Ashp Guest

    nemo_outis wrote:

    > Ok, heads up all, including (especially) sysadmins:
    >
    > I'm going to reveal one of my magician's tricks. And like all magician's
    > tricks it will seem really simple once you know it (but a deep mystery
    > otherwise). So don't scoff at its simplicity (I've **never** met a
    > sysadmin who realized the implications of this, although some were dimly
    > aware of it in terms of Dell, etc. having a "special" area on the HD).


    Fall to see any relevance to the users problem a. From the information
    given by the user this is just malware, no root-kits or 'hacking' involved.

    Ash.
     
    Ashp, May 28, 2005
    #17
  18. nemo_outis Guest

    Ashp <> wrote in
    news::

    > nemo_outis wrote:
    >
    >> Ok, heads up all, including (especially) sysadmins:
    >>
    >> I'm going to reveal one of my magician's tricks. And like all
    >> magician's tricks it will seem really simple once you know it (but a
    >> deep mystery otherwise). So don't scoff at its simplicity (I've
    >> **never** met a sysadmin who realized the implications of this,
    >> although some were dimly aware of it in terms of Dell, etc. having a
    >> "special" area on the HD).

    >
    > Fall to see any relevance to the users problem a. From the information
    > given by the user this is just malware, no root-kits or 'hacking'
    > involved.
    >
    > Ash.
    >




    For those with little imagination or insight, let me point out the
    relevance of my post:

    1. The user had a persistent/recurring problem and he was
    incapable of diagnosing its source. He was therefore necessarily
    uncertain of whether it was attributable to malware, and, if so, its
    nature and tenacity. Prudence would dictate that he assume the worst.
    Accordingly, he was reduced to reformatting the drive and starting over.
    My post makes clear what a thorough job of "reformatting and starting
    over" entails if one wishes to ensure that any putative malware does not
    survive and the problems recur.

    2. My post further shows that "reformatting and starting over"
    entails the need to do a low-level format (zeroization) of the ENTIRE
    disk to ensure that no malware may remain. Not only are conventional
    formats grossly inadequate regarding the sectors to which they are
    applied, they may not even span the entire disk! My post makes clear
    that what appears to be the *entire* drive (even to the OS) may not be.

    So much for the user and his problem.

    More broadly, my post was a heads-up on a little-known feature of current
    HDs which, while it has its legitimate uses, is susceptible to abuse,
    including abuse by malware. Moreover, this feature can support some
    especially pernicious forms of malware, (e.g., rootkits), which, by their
    nature, are both very hard to detect (especially from within an OS) and
    to eradictate (e.g., a conventional reformat would be useless).

    More broadly still, my post suggests, even if only implicitly (and only
    to the imaginative), that other uses could be made of the "invisible"
    portion of a HD. Such uses might include, for instance, hiding encrypted
    files there while crossing borders with a laptop.

    Here endeth the lesson.

    Regards,
     
    nemo_outis, May 28, 2005
    #18
  19. Ashp Guest

    nemo_outis wrote:

    >
    > 1. The user had a persistent/recurring problem and he was
    > incapable of diagnosing its source. He was therefore necessarily
    > uncertain of whether it was attributable to malware, and, if so, its
    > nature and tenacity. Prudence would dictate that he assume the worst.
    > Accordingly, he was reduced to reformatting the drive and starting over.
    > My post makes clear what a thorough job of "reformatting and starting
    > over" entails if one wishes to ensure that any putative malware does not
    > survive and the problems recur.


    User is a she. The problem is malware, no malware uses any kind of
    protected hd area. If the problem is due to hacking/cracking or a
    corporate station then yes your advice is correct. Common sense
    overrides prudence here.

    >More broadly, my post was a heads-up on a little-known feature of
    >current
    >HDs which, while it has its legitimate uses, is susceptible to abuse,
    >including abuse by malware. Moreover, this feature can support some
    >especially pernicious forms of malware, (e.g., rootkits), which, by
    >their
    >nature, are both very hard to detect (especially from within an OS) and
    >to eradictate (e.g., a conventional reformat would be useless).


    Thanks, a chufty badge is on its way to too.

    Ash.
     
    Ashp, May 28, 2005
    #19
  20. nemo_outis Guest

    Ashp <> wrote in
    news::

    > nemo_outis wrote:
    >
    >>
    >> 1. The user had a persistent/recurring problem and he was
    >> incapable of diagnosing its source. He was therefore necessarily
    >> uncertain of whether it was attributable to malware, and, if so, its
    >> nature and tenacity. Prudence would dictate that he assume the
    >> worst. Accordingly, he was reduced to reformatting the drive and
    >> starting over. My post makes clear what a thorough job of
    >> "reformatting and starting over" entails if one wishes to ensure that
    >> any putative malware does not survive and the problems recur.

    >
    > User is a she. The problem is malware, no malware uses any kind of
    > protected hd area. If the problem is due to hacking/cracking or a
    > corporate station then yes your advice is correct. Common sense
    > overrides prudence here.



    For us traditionalists, "he" is still the generic pronoun. I neither know
    nor care what the sex of the user is.

    As for what malware can do: There are more things in heaven and earth,
    Horatio, than are dreamt of in your philosophy. Yours is an argument from
    ignorance, not knowledge. As I strongly hinted in my previous post, I
    myself have used the HPA for rootkits.

    Accordingly, if one does not know the source of one's problem, it seems,
    not just cavalier, but downright rash not to be thorough in erasing the HD.



    > >More broadly, my post was a heads-up on a little-known feature of
    > >current
    > >HDs which, while it has its legitimate uses, is susceptible to abuse,
    > >including abuse by malware. Moreover, this feature can support some
    > >especially pernicious forms of malware, (e.g., rootkits), which, by
    > >their
    > >nature, are both very hard to detect (especially from within an OS)
    > >and to eradictate (e.g., a conventional reformat would be useless).

    >
    > Thanks, a chufty badge is on its way to too.



    Ahh, a pitiful little display of pique from an ignoramus. Yawn.

    Regards,
     
    nemo_outis, May 28, 2005
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Phil B.

    Computer does not recognize CD Drives

    Phil B., Jul 5, 2003, in forum: Computer Support
    Replies:
    8
    Views:
    6,959
    Phil B.
    Jul 5, 2003
  2. Jim

    Anyone recognize this error?

    Jim, Jul 9, 2003, in forum: Computer Support
    Replies:
    5
    Views:
    555
  3. ellis_jay

    Anyone recognize this exe?

    ellis_jay, Apr 11, 2007, in forum: Computer Support
    Replies:
    5
    Views:
    1,329
    ellis_jay
    Apr 11, 2007
  4. Homer

    Re: Anyone Recognize This Lens

    Homer, Jan 30, 2009, in forum: Digital Photography
    Replies:
    2
    Views:
    368
    Robert Coe
    Feb 1, 2009
  5. Paul Furman

    Re: Anyone Recognize This Lens

    Paul Furman, Jan 30, 2009, in forum: Digital Photography
    Replies:
    6
    Views:
    416
    dj_nme
    Feb 2, 2009
Loading...

Share This Page