Hello, Thanks for your response. I neglected to mention that I do have an image, but don't believe it's got the profiles in it. I'll check on the Alurion. Right now I believe my next step after the chkdsk I just started completes is I'm going to take the enclosure and put it in a linux box, see if I can get the files that way, any thoughts? Right now all I want is the data, pics, docs, audio, favorites, the profile, I can restore the machine after that. It's a dell and from what I'm seeing it has a recovery partition. Thanks. Dave. On 4/19/12, Jackie McBride wrote:

Dave, o, boy--Alurion is in fact a rootkit. So, he was correct on that score.

Here's what I think, & u may wanna decide if this is all worth your time for extended family who's not paying u.

First & foremost, image the drive. Seriously. That probly should've been done prior to doing any cleaning, especially if the default is to delete files as opposed to putting them into quarantine, but, in any event, do it b4 u do anything more on that drive. I'm really serious about that. That way, if things go to hell in a handcart, you'll have something to go bak to. Otherwise, you're pretty much screwed.

Once you've imaged the drive, & are pretty sure u u got all the nasties off, then do a chkdsk on the original to mitigate any file corruption.

It is possible that the malware changed the user profile name, so look for that possibility. Also make sure that none of those fall into the category of file infectors, because, if so, saving the files could in fact lead to reinfection once the box has been reformatted & the files restored.

HTH.

On 4/19/12, David Mehler wrote:

...

Hello,

Has anyone dealt specifically with any of the following malware:

1. Exploit:Java/CVE-2012-0507.R 2. backdoor:Win32/Kelihos.F 3. Exploit:Java/CVE-2010-0840.QI 4. exploit:Java/CVE-2012-0507.R!ldr 5. TrojanDownloader:Win32/Waledac.C 6. trojan:Win32/Tibs.IT 7. Trojan:Win64/Alureon.gen!F 8. Trojan:Win64/Alureon.gen!J 9. trojan:Win32/Alureon.gen!AD 10. Trojan:Win32/Orsam!rts 11. trojan:Win32/Alureon.FK 12. Trojan:DOS/Alureon.I 13. trojan:Win32/Dynamer!dtc 14. Trojan:Win32/Dynamer!dtc

on a win7 64 bit machine?

This one is going to be convoluted. An individual who gives me more computer headaches than anyone else but he also happens to be extended family, called me about two weeks back claiming his box had a worm. I think he was running Norton 360. I do not know the name of the worm or if it was a worm. He didn't give me the box until four days ago when problems had eskelated to a backdoor/rootkit, trojan, and a virus his words. His cleaning efforts did not take the box off the internet so I wouldn't be surprised. The thing that got the box finally to me was a black screen, my guess is a very corrupted windows given some of the above malware I've googled as well as a report that his user profile, documents, background, pictures, etc was gone. The drive in question is very full only having 20 GB left of space.

Here's the problem, I put that drive in an external enclosure hooked it up to a test box and cleaned it, took two passes of Security Essentials and Malware bites to do it, found the above listing of stuff this is after his "cleaning efforts" I can only have nightmares about what this looked like before. Two problems, the black screen (corrupted windows or registry my guess), and file permission changes.

He reported to me that certain files were "hidden" I have since discovered that they are operating system protected, but his profile is not accessible, it's showing up as a folder with no files or folders in it.

These reports are still from this drive being in the external enclosure, I have not rehooked it up to it's motherboard, I believe my next step is to blow it away, it sounds like it is really bad, but I've got to get the profiles, documents, pictures, etc. Suggestions welcome, none of my googling on the above indicated they did anything with regards changing file attributes to hidden or setting files "protected" by the operating system.

Thanks. Dave.

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins

-- Blame the computer--why not? It can't defend itself & occasionally might even be the culprit Jackie McBride Ask Me Computer Questions at: www.pcinquirer.com Jaws Scripting training materials: www.screenreaderscripting.com homePage: www.abletec.serverheaven.net

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins

Well, I have a couple thoughts, for what they're worth. 1) If there's a file infector on that box, then the files may have been quarantined. U might wish to look at what's in the quarantine vault. 2) His cleaning efforts may have resulted in files being deleted/quarantined; 3) The malware may have encrypted his files. I don't really see any on there that stand out in terms of doing so, but some of those trojans are generic names & their behavior can vary widely. On 4/19/12, David Mehler wrote:

Hello,

Thanks for your response. I neglected to mention that I do have an image, but don't believe it's got the profiles in it. I'll check on the Alurion. Right now I believe my next step after the chkdsk I just started completes is I'm going to take the enclosure and put it in a linux box, see if I can get the files that way, any thoughts? Right now all I want is the data, pics, docs, audio, favorites, the profile, I can restore the machine after that. It's a dell and from what I'm seeing it has a recovery partition.

Thanks. Dave.

On 4/19/12, Jackie McBride wrote:

...

Dave, o, boy--Alurion is in fact a rootkit. So, he was correct on that score.

Here's what I think, & u may wanna decide if this is all worth your time for extended family who's not paying u.

First & foremost, image the drive. Seriously. That probly should've been done prior to doing any cleaning, especially if the default is to delete files as opposed to putting them into quarantine, but, in any event, do it b4 u do anything more on that drive. I'm really serious about that. That way, if things go to hell in a handcart, you'll have something to go bak to. Otherwise, you're pretty much screwed.

Once you've imaged the drive, & are pretty sure u u got all the nasties off, then do a chkdsk on the original to mitigate any file corruption.

It is possible that the malware changed the user profile name, so look for that possibility. Also make sure that none of those fall into the category of file infectors, because, if so, saving the files could in fact lead to reinfection once the box has been reformatted & the files restored.

HTH.

On 4/19/12, David Mehler wrote:

...

Hello,

Has anyone dealt specifically with any of the following malware:

1. Exploit:Java/CVE-2012-0507.R 2. backdoor:Win32/Kelihos.F 3. Exploit:Java/CVE-2010-0840.QI 4. exploit:Java/CVE-2012-0507.R!ldr 5. TrojanDownloader:Win32/Waledac.C 6. trojan:Win32/Tibs.IT 7. Trojan:Win64/Alureon.gen!F 8. Trojan:Win64/Alureon.gen!J 9. trojan:Win32/Alureon.gen!AD 10. Trojan:Win32/Orsam!rts 11. trojan:Win32/Alureon.FK 12. Trojan:DOS/Alureon.I 13. trojan:Win32/Dynamer!dtc 14. Trojan:Win32/Dynamer!dtc

on a win7 64 bit machine?

This one is going to be convoluted. An individual who gives me more computer headaches than anyone else but he also happens to be extended family, called me about two weeks back claiming his box had a worm. I think he was running Norton 360. I do not know the name of the worm or if it was a worm. He didn't give me the box until four days ago when problems had eskelated to a backdoor/rootkit, trojan, and a virus his words. His cleaning efforts did not take the box off the internet so I wouldn't be surprised. The thing that got the box finally to me was a black screen, my guess is a very corrupted windows given some of the above malware I've googled as well as a report that his user profile, documents, background, pictures, etc was gone. The drive in question is very full only having 20 GB left of space.

Here's the problem, I put that drive in an external enclosure hooked it up to a test box and cleaned it, took two passes of Security Essentials and Malware bites to do it, found the above listing of stuff this is after his "cleaning efforts" I can only have nightmares about what this looked like before. Two problems, the black screen (corrupted windows or registry my guess), and file permission changes.

He reported to me that certain files were "hidden" I have since discovered that they are operating system protected, but his profile is not accessible, it's showing up as a folder with no files or folders in it.

These reports are still from this drive being in the external enclosure, I have not rehooked it up to it's motherboard, I believe my next step is to blow it away, it sounds like it is really bad, but I've got to get the profiles, documents, pictures, etc. Suggestions welcome, none of my googling on the above indicated they did anything with regards changing file attributes to hidden or setting files "protected" by the operating system.

Thanks. Dave.

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins

-- Blame the computer--why not? It can't defend itself & occasionally might even be the culprit Jackie McBride Ask Me Computer Questions at: www.pcinquirer.com Jaws Scripting training materials: www.screenreaderscripting.com homePage: www.abletec.serverheaven.net

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins

-- Blame the computer--why not? It can't defend itself & occasionally might even be the culprit Jackie McBride Ask Me Computer Questions at: www.pcinquirer.com Jaws Scripting training materials: www.screenreaderscripting.com homePage: www.abletec.serverheaven.net

Hi, Do you have any reason to believe that his data is still there? There could just be a really big application data or temp folder? You could try running something like treesize on the drive to see what it thinks is taking up the space; if it can account for the used space without including the important data then I guess its gone? You need to make a copy of the drive with something that ignores the file system and just blindly copies sectors; I think dd does this if you don't want to spend any money - the Windows port should also be ok. Once you've done that, you could try running the image through something like get data back to see if it finds anything. Cheers, Ben. On 4/19/12, David Mehler wrote:

Hello,

Thanks for your response. I neglected to mention that I do have an image, but don't believe it's got the profiles in it. I'll check on the Alurion. Right now I believe my next step after the chkdsk I just started completes is I'm going to take the enclosure and put it in a linux box, see if I can get the files that way, any thoughts? Right now all I want is the data, pics, docs, audio, favorites, the profile, I can restore the machine after that. It's a dell and from what I'm seeing it has a recovery partition.

Thanks. Dave.

On 4/19/12, Jackie McBride wrote:

...

Dave, o, boy--Alurion is in fact a rootkit. So, he was correct on that score.

Here's what I think, & u may wanna decide if this is all worth your time for extended family who's not paying u.

First & foremost, image the drive. Seriously. That probly should've been done prior to doing any cleaning, especially if the default is to delete files as opposed to putting them into quarantine, but, in any event, do it b4 u do anything more on that drive. I'm really serious about that. That way, if things go to hell in a handcart, you'll have something to go bak to. Otherwise, you're pretty much screwed.

Once you've imaged the drive, & are pretty sure u u got all the nasties off, then do a chkdsk on the original to mitigate any file corruption.

It is possible that the malware changed the user profile name, so look for that possibility. Also make sure that none of those fall into the category of file infectors, because, if so, saving the files could in fact lead to reinfection once the box has been reformatted & the files restored.

HTH.

On 4/19/12, David Mehler wrote:

...

Hello,

Has anyone dealt specifically with any of the following malware:

1. Exploit:Java/CVE-2012-0507.R 2. backdoor:Win32/Kelihos.F 3. Exploit:Java/CVE-2010-0840.QI 4. exploit:Java/CVE-2012-0507.R!ldr 5. TrojanDownloader:Win32/Waledac.C 6. trojan:Win32/Tibs.IT 7. Trojan:Win64/Alureon.gen!F 8. Trojan:Win64/Alureon.gen!J 9. trojan:Win32/Alureon.gen!AD 10. Trojan:Win32/Orsam!rts 11. trojan:Win32/Alureon.FK 12. Trojan:DOS/Alureon.I 13. trojan:Win32/Dynamer!dtc 14. Trojan:Win32/Dynamer!dtc

on a win7 64 bit machine?

This one is going to be convoluted. An individual who gives me more computer headaches than anyone else but he also happens to be extended family, called me about two weeks back claiming his box had a worm. I think he was running Norton 360. I do not know the name of the worm or if it was a worm. He didn't give me the box until four days ago when problems had eskelated to a backdoor/rootkit, trojan, and a virus his words. His cleaning efforts did not take the box off the internet so I wouldn't be surprised. The thing that got the box finally to me was a black screen, my guess is a very corrupted windows given some of the above malware I've googled as well as a report that his user profile, documents, background, pictures, etc was gone. The drive in question is very full only having 20 GB left of space.

Here's the problem, I put that drive in an external enclosure hooked it up to a test box and cleaned it, took two passes of Security Essentials and Malware bites to do it, found the above listing of stuff this is after his "cleaning efforts" I can only have nightmares about what this looked like before. Two problems, the black screen (corrupted windows or registry my guess), and file permission changes.

He reported to me that certain files were "hidden" I have since discovered that they are operating system protected, but his profile is not accessible, it's showing up as a folder with no files or folders in it.

These reports are still from this drive being in the external enclosure, I have not rehooked it up to it's motherboard, I believe my next step is to blow it away, it sounds like it is really bad, but I've got to get the profiles, documents, pictures, etc. Suggestions welcome, none of my googling on the above indicated they did anything with regards changing file attributes to hidden or setting files "protected" by the operating system.

Thanks. Dave.

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins

-- Blame the computer--why not? It can't defend itself & occasionally might even be the culprit Jackie McBride Ask Me Computer Questions at: www.pcinquirer.com Jaws Scripting training materials: www.screenreaderscripting.com homePage: www.abletec.serverheaven.net

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins

1 thing that might be happening, Dave, is that the virus deleted the files & folders. They won't obviously show up if that's the case. There are utilities out there that can recover those. Additionally, u might wanna see if any files contain a _crypt extension. On 4/19/12, Ben Mustill-Rose wrote:

Hi,

Do you have any reason to believe that his data is still there? There could just be a really big application data or temp folder? You could try running something like treesize on the drive to see what it thinks is taking up the space; if it can account for the used space without including the important data then I guess its gone? You need to make a copy of the drive with something that ignores the file system and just blindly copies sectors; I think dd does this if you don't want to spend any money - the Windows port should also be ok. Once you've done that, you could try running the image through something like get data back to see if it finds anything.

Cheers, Ben.

On 4/19/12, David Mehler wrote:

...

Hello,

Thanks for your response. I neglected to mention that I do have an image, but don't believe it's got the profiles in it. I'll check on the Alurion. Right now I believe my next step after the chkdsk I just started completes is I'm going to take the enclosure and put it in a linux box, see if I can get the files that way, any thoughts? Right now all I want is the data, pics, docs, audio, favorites, the profile, I can restore the machine after that. It's a dell and from what I'm seeing it has a recovery partition.

Thanks. Dave.

On 4/19/12, Jackie McBride wrote:

...

Dave, o, boy--Alurion is in fact a rootkit. So, he was correct on that score.

Here's what I think, & u may wanna decide if this is all worth your time for extended family who's not paying u.

First & foremost, image the drive. Seriously. That probly should've been done prior to doing any cleaning, especially if the default is to delete files as opposed to putting them into quarantine, but, in any event, do it b4 u do anything more on that drive. I'm really serious about that. That way, if things go to hell in a handcart, you'll have something to go bak to. Otherwise, you're pretty much screwed.

Once you've imaged the drive, & are pretty sure u u got all the nasties off, then do a chkdsk on the original to mitigate any file corruption.

It is possible that the malware changed the user profile name, so look for that possibility. Also make sure that none of those fall into the category of file infectors, because, if so, saving the files could in fact lead to reinfection once the box has been reformatted & the files restored.

HTH.

On 4/19/12, David Mehler wrote:

...

Hello,

Has anyone dealt specifically with any of the following malware:

1. Exploit:Java/CVE-2012-0507.R 2. backdoor:Win32/Kelihos.F 3. Exploit:Java/CVE-2010-0840.QI 4. exploit:Java/CVE-2012-0507.R!ldr 5. TrojanDownloader:Win32/Waledac.C 6. trojan:Win32/Tibs.IT 7. Trojan:Win64/Alureon.gen!F 8. Trojan:Win64/Alureon.gen!J 9. trojan:Win32/Alureon.gen!AD 10. Trojan:Win32/Orsam!rts 11. trojan:Win32/Alureon.FK 12. Trojan:DOS/Alureon.I 13. trojan:Win32/Dynamer!dtc 14. Trojan:Win32/Dynamer!dtc

on a win7 64 bit machine?

This one is going to be convoluted. An individual who gives me more computer headaches than anyone else but he also happens to be extended family, called me about two weeks back claiming his box had a worm. I think he was running Norton 360. I do not know the name of the worm or if it was a worm. He didn't give me the box until four days ago when problems had eskelated to a backdoor/rootkit, trojan, and a virus his words. His cleaning efforts did not take the box off the internet so I wouldn't be surprised. The thing that got the box finally to me was a black screen, my guess is a very corrupted windows given some of the above malware I've googled as well as a report that his user profile, documents, background, pictures, etc was gone. The drive in question is very full only having 20 GB left of space.

Here's the problem, I put that drive in an external enclosure hooked it up to a test box and cleaned it, took two passes of Security Essentials and Malware bites to do it, found the above listing of stuff this is after his "cleaning efforts" I can only have nightmares about what this looked like before. Two problems, the black screen (corrupted windows or registry my guess), and file permission changes.

He reported to me that certain files were "hidden" I have since discovered that they are operating system protected, but his profile is not accessible, it's showing up as a folder with no files or folders in it.

These reports are still from this drive being in the external enclosure, I have not rehooked it up to it's motherboard, I believe my next step is to blow it away, it sounds like it is really bad, but I've got to get the profiles, documents, pictures, etc. Suggestions welcome, none of my googling on the above indicated they did anything with regards changing file attributes to hidden or setting files "protected" by the operating system.

Thanks. Dave.

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins

-- Blame the computer--why not? It can't defend itself & occasionally might even be the culprit Jackie McBride Ask Me Computer Questions at: www.pcinquirer.com Jaws Scripting training materials: www.screenreaderscripting.com homePage: www.abletec.serverheaven.net

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins

-- Blame the computer--why not? It can't defend itself & occasionally might even be the culprit Jackie McBride Ask Me Computer Questions at: www.pcinquirer.com Jaws Scripting training materials: www.screenreaderscripting.com homePage: www.abletec.serverheaven.net

george, the way to clean system restore files is simply to turn it off. Then do a scan, & the antivirus software can disinfect the files contained therein. Don't forget to re-enable it again once that process is complete, of course. On 4/20/12, George Bell wrote:

Hi David,

I'd hazard a guess that the System Restore files still contain this muck, but how you get rid of the System Restore in these circumstances is the $64,000 question. They normally cannot usually be cleaned by anti-virus software.

I'm afraid I'd be an absolute so and so here, and simply reformat the drive. While getting rid of the problem, hopefully, it might just also serve as a sharp, short lesson to the user to be more careful.

George.

-----Original Message----- From: blind-sysadmins-bounces@lists.hodgsonfamily.org [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of David Mehler Sent: 19 April 2012 19:37 To: blind-sysadmins Subject: [Blind-sysadmins] Malware and File Permissions and attributes

Hello,

Has anyone dealt specifically with any of the following malware:

1. Exploit:Java/CVE-2012-0507.R 2. backdoor:Win32/Kelihos.F 3. Exploit:Java/CVE-2010-0840.QI 4. exploit:Java/CVE-2012-0507.R!ldr 5. TrojanDownloader:Win32/Waledac.C 6. trojan:Win32/Tibs.IT 7. Trojan:Win64/Alureon.gen!F 8. Trojan:Win64/Alureon.gen!J 9. trojan:Win32/Alureon.gen!AD 10. Trojan:Win32/Orsam!rts 11. trojan:Win32/Alureon.FK 12. Trojan:DOS/Alureon.I 13. trojan:Win32/Dynamer!dtc 14. Trojan:Win32/Dynamer!dtc

on a win7 64 bit machine?

This one is going to be convoluted. An individual who gives me more computer headaches than anyone else but he also happens to be extended family, called me about two weeks back claiming his box had a worm. I think he was running Norton 360. I do not know the name of the worm or if it was a worm. He didn't give me the box until four days ago when problems had eskelated to a backdoor/rootkit, trojan, and a virus his words. His cleaning efforts did not take the box off the internet so I wouldn't be surprised. The thing that got the box finally to me was a black screen, my guess is a very corrupted windows given some of the above malware I've googled as well as a report that his user profile, documents, background, pictures, etc was gone. The drive in question is very full only having 20 GB left of space.

Here's the problem, I put that drive in an external enclosure hooked it up to a test box and cleaned it, took two passes of Security Essentials and Malware bites to do it, found the above listing of stuff this is after his "cleaning efforts" I can only have nightmares about what this looked like before. Two problems, the black screen (corrupted windows or registry my guess), and file permission changes.

He reported to me that certain files were "hidden" I have since discovered that they are operating system protected, but his profile is not accessible, it's showing up as a folder with no files or folders in it.

These reports are still from this drive being in the external enclosure, I have not rehooked it up to it's motherboard, I believe my next step is to blow it away, it sounds like it is really bad, but I've got to get the profiles, documents, pictures, etc. Suggestions welcome, none of my googling on the above indicated they did anything with regards changing file attributes to hidden or setting files "protected" by the operating system.

Thanks. Dave.

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins

-- Blame the computer--why not? It can't defend itself & occasionally might even be the culprit Jackie McBride Ask Me Computer Questions at: www.pcinquirer.com Jaws Scripting training materials: www.screenreaderscripting.com homePage: www.abletec.serverheaven.net

Hi Jackie, Yes that's correct, but I wasn't sure whether or not David's extended family system would allow this to be done. -----Original Message----- From: blind-sysadmins-bounces@lists.hodgsonfamily.org [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Jackie McBride Sent: 20 April 2012 15:58 To: Blind sysadmins list Subject: Re: [Blind-sysadmins] Malware and File Permissions and attributes george, the way to clean system restore files is simply to turn it off. Then do a scan, & the antivirus software can disinfect the files contained therein. Don't forget to re-enable it again once that process is complete, of course. On 4/20/12, George Bell wrote:

Hi David,

I'd hazard a guess that the System Restore files still contain this muck, but how you get rid of the System Restore in these circumstances is the $64,000 question. They normally cannot usually be cleaned by

anti-virus software.

I'm afraid I'd be an absolute so and so here, and simply reformat the drive. While getting rid of the problem, hopefully, it might just also serve as a sharp, short lesson to the user to be more careful.

George.

-----Original Message----- From: blind-sysadmins-bounces@lists.hodgsonfamily.org [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of David Mehler Sent: 19 April 2012 19:37 To: blind-sysadmins Subject: [Blind-sysadmins] Malware and File Permissions and attributes

Hello,

Has anyone dealt specifically with any of the following malware:

1. Exploit:Java/CVE-2012-0507.R 2. backdoor:Win32/Kelihos.F 3. Exploit:Java/CVE-2010-0840.QI 4. exploit:Java/CVE-2012-0507.R!ldr 5. TrojanDownloader:Win32/Waledac.C 6. trojan:Win32/Tibs.IT 7. Trojan:Win64/Alureon.gen!F 8. Trojan:Win64/Alureon.gen!J 9. trojan:Win32/Alureon.gen!AD 10. Trojan:Win32/Orsam!rts 11. trojan:Win32/Alureon.FK 12. Trojan:DOS/Alureon.I 13. trojan:Win32/Dynamer!dtc 14. Trojan:Win32/Dynamer!dtc

on a win7 64 bit machine?

This one is going to be convoluted. An individual who gives me more computer headaches than anyone else but he also happens to be extended family, called me about two weeks back claiming his box had a worm. I think he was running Norton 360. I do not know the name of the worm or if it was a worm. He didn't give me the box until four days ago when

problems had eskelated to a backdoor/rootkit, trojan, and a virus his words. His cleaning efforts did not take the box off the internet so I wouldn't be surprised. The thing that got the box finally to me was a black screen, my guess is a very corrupted windows given some of the

above malware I've googled as well as a report that his user profile, documents, background, pictures, etc was gone. The drive in question

is very full only having 20 GB left of space.

Here's the problem, I put that drive in an external enclosure hooked

it up to a test box and cleaned it, took two passes of Security Essentials and Malware bites to do it, found the above listing of stuff this is after his "cleaning efforts" I can only have nightmares about what this looked like before. Two problems, the black screen (corrupted windows or registry my guess), and file permission changes.

He reported to me that certain files were "hidden" I have since discovered that they are operating system protected, but his profile

is not accessible, it's showing up as a folder with no files or folders in it.

These reports are still from this drive being in the external enclosure, I have not rehooked it up to it's motherboard, I believe my next step is to blow it away, it sounds like it is really bad, but I've got to get the profiles, documents, pictures, etc. Suggestions welcome, none of my googling on the above indicated they did anything with regards changing file attributes to hidden or setting files "protected" by the operating system.

Thanks. Dave.

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins

-- Blame the computer--why not? It can't defend itself & occasionally might even be the culprit Jackie McBride Ask Me Computer Questions at: www.pcinquirer.com Jaws Scripting training materials: www.screenreaderscripting.com homePage: www.abletec.serverheaven.net _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins

Hi Everyone, Thank you all for your suggestions and help. I have the data, the drive enclosure I have is going back tonight and data is going to be retrieved, I don't have a machine with sufficient memory to pull it off, the process crashes four times plus I'm overcopying because I don't know what they have. Here's another question, that drive is going to get nuked, formatted and a fresh install. When I plug in the enclosure there's a partition called recovery, I'm assuming this is a hidden recovery partition, this is a dell machine, and that windows is in there. Question being, researching aulorion that's a nasty piece of work it replaces the mbr plus a disk driver, can it get in to the recovery partition and if a restore is done from that will it be effective, basically will I end up with a clean box? Thanks again. Dave. On 4/20/12, George Bell wrote:

Hi Jackie,

Yes that's correct, but I wasn't sure whether or not David's extended family system would allow this to be done.

-----Original Message----- From: blind-sysadmins-bounces@lists.hodgsonfamily.org [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Jackie McBride Sent: 20 April 2012 15:58 To: Blind sysadmins list Subject: Re: [Blind-sysadmins] Malware and File Permissions and attributes

george, the way to clean system restore files is simply to turn it off. Then do a scan, & the antivirus software can disinfect the files contained therein. Don't forget to re-enable it again once that process is complete, of course.

On 4/20/12, George Bell wrote:

...

Hi David,

I'd hazard a guess that the System Restore files still contain this muck, but how you get rid of the System Restore in these circumstances is the $64,000 question. They normally cannot usually be cleaned by

...

anti-virus software.

I'm afraid I'd be an absolute so and so here, and simply reformat the drive. While getting rid of the problem, hopefully, it might just also serve as a sharp, short lesson to the user to be more careful.

George.

-----Original Message----- From: blind-sysadmins-bounces@lists.hodgsonfamily.org [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of David Mehler Sent: 19 April 2012 19:37 To: blind-sysadmins Subject: [Blind-sysadmins] Malware and File Permissions and attributes

Hello,

Has anyone dealt specifically with any of the following malware:

1. Exploit:Java/CVE-2012-0507.R 2. backdoor:Win32/Kelihos.F 3. Exploit:Java/CVE-2010-0840.QI 4. exploit:Java/CVE-2012-0507.R!ldr 5. TrojanDownloader:Win32/Waledac.C 6. trojan:Win32/Tibs.IT 7. Trojan:Win64/Alureon.gen!F 8. Trojan:Win64/Alureon.gen!J 9. trojan:Win32/Alureon.gen!AD 10. Trojan:Win32/Orsam!rts 11. trojan:Win32/Alureon.FK 12. Trojan:DOS/Alureon.I 13. trojan:Win32/Dynamer!dtc 14. Trojan:Win32/Dynamer!dtc

on a win7 64 bit machine?

This one is going to be convoluted. An individual who gives me more computer headaches than anyone else but he also happens to be extended family, called me about two weeks back claiming his box had a worm. I think he was running Norton 360. I do not know the name of the worm or if it was a worm. He didn't give me the box until four days ago when

...

problems had eskelated to a backdoor/rootkit, trojan, and a virus his words. His cleaning efforts did not take the box off the internet so I wouldn't be surprised. The thing that got the box finally to me was a black screen, my guess is a very corrupted windows given some of the

...

above malware I've googled as well as a report that his user profile, documents, background, pictures, etc was gone. The drive in question

...

is very full only having 20 GB left of space.

Here's the problem, I put that drive in an external enclosure hooked

...

it up to a test box and cleaned it, took two passes of Security Essentials and Malware bites to do it, found the above listing of stuff this is after his "cleaning efforts" I can only have nightmares about what this looked like before. Two problems, the black screen (corrupted windows or registry my guess), and file permission changes.

He reported to me that certain files were "hidden" I have since discovered that they are operating system protected, but his profile

...

is not accessible, it's showing up as a folder with no files or folders in it.

These reports are still from this drive being in the external enclosure, I have not rehooked it up to it's motherboard, I believe my next step is to blow it away, it sounds like it is really bad, but I've got to get the profiles, documents, pictures, etc. Suggestions welcome, none of my googling on the above indicated they did anything with regards changing file attributes to hidden or setting files "protected" by the operating system.

Thanks. Dave.

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins

-- Blame the computer--why not? It can't defend itself & occasionally might even be the culprit Jackie McBride Ask Me Computer Questions at: www.pcinquirer.com Jaws Scripting training materials: www.screenreaderscripting.com homePage: www.abletec.serverheaven.net

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins

Hi, I'd just blow away every partition along with the MBR and start completely fresh; chances are you won't be able to restore from the recovery partition without sighted help anyway and even if you did, drivers would be out of date, updates would need to be downloaded and all the usual software rubbish would have to be removed. Out of interest, how did you get to the files? Regards, Ben. On 4/21/12, David Mehler wrote:

Hi Everyone,

Thank you all for your suggestions and help. I have the data, the drive enclosure I have is going back tonight and data is going to be retrieved, I don't have a machine with sufficient memory to pull it off, the process crashes four times plus I'm overcopying because I don't know what they have.

Here's another question, that drive is going to get nuked, formatted and a fresh install. When I plug in the enclosure there's a partition called recovery, I'm assuming this is a hidden recovery partition, this is a dell machine, and that windows is in there. Question being, researching aulorion that's a nasty piece of work it replaces the mbr plus a disk driver, can it get in to the recovery partition and if a restore is done from that will it be effective, basically will I end up with a clean box?

Thanks again. Dave.

On 4/20/12, George Bell wrote:

...

Hi Jackie,

Yes that's correct, but I wasn't sure whether or not David's extended family system would allow this to be done.

-----Original Message----- From: blind-sysadmins-bounces@lists.hodgsonfamily.org [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Jackie McBride Sent: 20 April 2012 15:58 To: Blind sysadmins list Subject: Re: [Blind-sysadmins] Malware and File Permissions and attributes

george, the way to clean system restore files is simply to turn it off. Then do a scan, & the antivirus software can disinfect the files contained therein. Don't forget to re-enable it again once that process is complete, of course.

On 4/20/12, George Bell wrote:

...

Hi David,

I'd hazard a guess that the System Restore files still contain this muck, but how you get rid of the System Restore in these circumstances is the $64,000 question. They normally cannot usually be cleaned by

...

anti-virus software.

I'm afraid I'd be an absolute so and so here, and simply reformat the drive. While getting rid of the problem, hopefully, it might just also serve as a sharp, short lesson to the user to be more careful.

George.

-----Original Message----- From: blind-sysadmins-bounces@lists.hodgsonfamily.org [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of David Mehler Sent: 19 April 2012 19:37 To: blind-sysadmins Subject: [Blind-sysadmins] Malware and File Permissions and attributes

Hello,

Has anyone dealt specifically with any of the following malware:

1. Exploit:Java/CVE-2012-0507.R 2. backdoor:Win32/Kelihos.F 3. Exploit:Java/CVE-2010-0840.QI 4. exploit:Java/CVE-2012-0507.R!ldr 5. TrojanDownloader:Win32/Waledac.C 6. trojan:Win32/Tibs.IT 7. Trojan:Win64/Alureon.gen!F 8. Trojan:Win64/Alureon.gen!J 9. trojan:Win32/Alureon.gen!AD 10. Trojan:Win32/Orsam!rts 11. trojan:Win32/Alureon.FK 12. Trojan:DOS/Alureon.I 13. trojan:Win32/Dynamer!dtc 14. Trojan:Win32/Dynamer!dtc

on a win7 64 bit machine?

This one is going to be convoluted. An individual who gives me more computer headaches than anyone else but he also happens to be extended family, called me about two weeks back claiming his box had a worm. I think he was running Norton 360. I do not know the name of the worm or if it was a worm. He didn't give me the box until four days ago when

...

problems had eskelated to a backdoor/rootkit, trojan, and a virus his words. His cleaning efforts did not take the box off the internet so I wouldn't be surprised. The thing that got the box finally to me was a black screen, my guess is a very corrupted windows given some of the

...

above malware I've googled as well as a report that his user profile, documents, background, pictures, etc was gone. The drive in question

...

is very full only having 20 GB left of space.

Here's the problem, I put that drive in an external enclosure hooked

...

it up to a test box and cleaned it, took two passes of Security Essentials and Malware bites to do it, found the above listing of stuff this is after his "cleaning efforts" I can only have nightmares about what this looked like before. Two problems, the black screen (corrupted windows or registry my guess), and file permission changes.

He reported to me that certain files were "hidden" I have since discovered that they are operating system protected, but his profile

...

is not accessible, it's showing up as a folder with no files or folders in it.

These reports are still from this drive being in the external enclosure, I have not rehooked it up to it's motherboard, I believe my next step is to blow it away, it sounds like it is really bad, but I've got to get the profiles, documents, pictures, etc. Suggestions welcome, none of my googling on the above indicated they did anything with regards changing file attributes to hidden or setting files "protected" by the operating system.

Thanks. Dave.

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins

-- Blame the computer--why not? It can't defend itself & occasionally might even be the culprit Jackie McBride Ask Me Computer Questions at: www.pcinquirer.com Jaws Scripting training materials: www.screenreaderscripting.com homePage: www.abletec.serverheaven.net

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org http://lists.hodgsonfamily.org/listinfo/blind-sysadmins

Dear advanced system administrators, Dear members of this mailing list. After some experiments, IAM writing The special tutorial for You. The goal of this tutorial is to prepare The Linux live environment, which will contain AVG antivirus for Linux and possibly Avast for Linux too. I have excellent experience with ADRIANE Knoppix and it's persistent feature. I have been able to install AVG .deb package, i have configured AVG service to run correctly and i am even able to perform avg update while running ADRIANEKnoppix in persistent live mode. The prerequisites. Newest stable release of ADRIANE Knoppix, downloadable from ftp://ftp.uni-kl.de/pub/linux/knoppix/ADRIANE-KNOPPIX_V6.7.1CD-2011-09-14-EN.iso Latest rerelease of The Universal-USB-Installer Download from http://www.pendrivelinux.com/downloads/Universal-USB-Installer/Universal-USB... Latest AVG Debian package, downloadable from http://aa-download.avg.com/filedir/inst/avg2012flx-r1786-a4748.i386.deb Some time and some USB flash disk and running Windows to create bootable USB stick with ADRIANE Knoppix. Lets start. Download Adriane Knoppix .iso image. Prepare USB stick, which will have atleast 2 GB capacity. Run Universal-USB-Installer confirm The license. Leave The window and activate The Window again because installer is making somethink strange with focus after confirming The license agreement. Choose The list item Try Unlisted Linux ISO (New Syslinux) Activate The browse button and find Yours ADRIANE-KNOPPIX_V6.7.1CD-2011-09-14-EN.iso Activate The combobox to choose The letter of Yours USB stick, rather check The predefined drive letter for The security reasons. Check The format button, it is better to format Yours USB flash drive, program will use Windows fast format technique. Using this is secure. Activate The create button. Confirm The installer question, that You want to continue. After .iso image will be extracted, syslinux MBR code will be written to Yours USB stick, installer will offer You The close button. Close The installer and put Yours avg2012flx-r1786-a4748.i386.deb To The root folder of Yours previously created USB stick with ADRIANE KNOPPIX. ANd what about now? BOot from this USB stick. If Yours BIOS will not cooperate with this bootable USB stick, use other Linux distribution and check, if The FAT32 partition on The created USB stick have set The boot flag. It is ammazing to use parted or Gparted for this operation. Some BIOSES refuse boot, eventhough MBR is being presented on boot device, if The boot flag is not set. When You will hear The message from ADRIANE, press down arrow key until You will hear The setup. Press Enter key and press The down arrow key as long, as You will hear The create persistent storage, find The persistent word on The message. Press Enter on The right menu item. Script will please You to type The minimum size of The persistent storage file. Do not set it to The bigger size than 1024 MB, in other case, Yours persistent file may cause The Knoppix to breakdown and You will finish with The nonusable persistent feature, because too many data will be decompressed from The Knoppix compressed file to The persistent storage file. Type 512, it will create 512 MB persistent storage file. Press ENter. Wait patiently, till The script will finish it's work. Reboot ADRIANE and run it again from USB stick, for now, with Yours previously created persistent storage file. Now, lets begin with The AVG installation. From The ADRIANE menu, choose The shell. Press Enter Type sudo su You will become The root user. use dir and CD commands to get in to The Knoppix/DESKTOP directory. type dpkg -i avg2012flx-r1786-a4748.i386.deb Patiently wait, till DPKG will do it's complex programmers work for You. When The installation will be finished, we will have to activate The avgd system service, without this, AVGscan will not cooperate with You and we will end with error message. So now, be very concentrated and careful. You will have to get to The /etc Folder. Now, as root, type nano rc.local One line above last line of this script, is empty. Use this empty space and add The following line. /etc/init.d/avgd start Press CTRL+X and do necessary steps to confirm, that You want to save Yours changes to Yours rc.local script. Reboot The system again and from The shell as root, type avgupdate Patiently wait, till updater will finish The download and installation of The AVG updates. AVG for Linux is only containing The console modules, there are no GUI like in AVAST for Linux. If You want to scan FAT or NTFS volumes, firstly from The ADRIANE menu, choose The file manager and press enter. Use up and down arrow keys to choose The right partition and mount it, it is really simple. All mounted partitions are being allocated to The media folder. So to perform The system scan and virus cleaning, as root, type avgscan /clean /media And wait till The process will be finished. Leave The virtual console, which is being used for running antivirus, because Suseblinux screen reader will send all dynamic output changes to The ESPEAK, this is not pleasant and it is little bad factor for causing some system crash. You can also scan Linux file system, it is no problem too. Why i have choosen this solution? ADRIANE Knoppix is containing goodly tuned sound server and Suseblinux with speech-dispatcher configured to cooperate with Suseblinux. Avg is console tool and it is not good to allocate much RAM by using LXDE, there is issue, that if You would run console apps as root from LXDE, YOu would had to install gnome-terminal In other cases, Lxde terminal is not accessible at all with Orca. It is not possible to simply run applications with The root privileges from The gnome-terminal from LXDE desktop environment with Orca. To run those apps from Knoppix, You have to download some Knoppix DVD, run orca from gnome-terminal as root, confirm necessary Orca setup questions and restart Gnome. But eventhough there are some issues, i think, that Adriane Knoppix is really The best system administration tool available. Persistenci support is much more faster than while using latest Debian Squeeze, i will use 610 special Gnome Debian squeeze to compare The speed when using persistenci with Debian Squeeze. Using console based screen reader will minimize The memory leaks and probably system crashes while using desktop environments with Orca. Some important warnings to all users!!!! Linux and even Windows PE environments are not real Windows and because of it, CPUS are being over heat by using Linux. Aspecially modern notebooks with BIOSES dated after The Year 2009 are in danger. So 1. Always have YOurs AC adapter connected and correctly connected To The notebook. Have Yours fan slot free of some objects, which would prevent You from correctly cool Yours laptop. Have Yours display opened to The maximum level to prevent motherboard overheat. While using AVG, CPU will be intensively working and because of troubles of correct CPU controlling of The modern notebooks while running operating systems without special drivers from The manufacturers, Yours notebook can have temperature in some times higher than 70 Celsius degrees. So remember on it please when using Linux or some other system administrators based environments. Linux advanced system administrators may be know, how to setup Linux to save The motherboard and CPU, to prevent overheat. But because there are no default settings for all notebooks, i must warn You because of it. Do not overcome this by using pseudo cheep advices which will tell You, use some special Linux tools for controlling Yours fan speed. This way is very dangerous!!! Better way is to think, why motherboard components and CPU are being producing so many warm. Rather consult with Kernel developers how to control The CPU frequenci to prevent it from overheat. YOu can produce also other Live distro by using AVG, if YOu do not like ADRIANE, but please keep in mind, that all Linux distros and Windows live environments will suffer with tempherature issues. The solution is available and i believe, that somebody of us will give some advices, how to control The performance of CPU while running Linux to save The motherboard and CPU. I do not like fan controllers, i like rather techniques for minimizing The motherboard and CPU overheat. Thank You very much for some advices, if it will be available. One little distribution based on Debian Leny is not containing some very important module to enable persistenci, so i could not present it. The advantage of running AVG or other antivirus from Linux live environment or from previously installed Linux to USB harddisk is, that all NTFS folders and files will be processed and scanned. But there are some conditions. Folder or file can not be encrypted by using Windows encryption. NTFS volumes should be correctly closed by using correct shutdown of Windows. If it is not possible, use Windows live PE project to check The file system, never perform some file rename, copy or delete oprations from Linux, if NTFS file system can be incorrectly closed. It can cause severe file system corruption. Truecrypt system drives can not be accessed not onlywith Linux or Windows PE, but also no with standard truecrypt running from Linux live environment or from Windows live PE environment. Without special bootable CD, which will be created by truecrypt before creating encrypted system drive, You will be helpless to access it. Because this special bootable disk is itself strongly encrypted, i do not know, which operating system kernel is used by this special disk. I will consult if with Truecrypt developers.