Solve : Desperately in need of advice...?

1.	Solve : Desperately in need of advice...?
Answer» Just a side note: I have XP installed to a FAT32 partition and to an NTFS partition on my benchtest machine and the FAT32 install has far fewer issues over the long haul... Side note 2: Data Lifeguard Tools works great for WD drives...i run the DOS bootable version i don't care much for the Windows version but to each his own.Quote from: patio on November 05, 2008, 08:33:43 AM Just a side note: I have XP installed to a FAT32 partition and to an NTFS partition on my benchtest machine and the FAT32 install has far fewer issues over the long haul... Side note 2: Data Lifeguard Tools works great for WD drives...i run the DOS bootable version i don't care much for the Windows version but to each his own. good, I plan on sticking with FAT32 for my system drive- wish I thought of it earlier, I would have just used partition magic to convert my system drive to FAT32, without needing a clean install. Quote from: ALAN_BR on November 05, 2008, 07:00:27 AM Hi I fear you misunderstood the situation. The fact that ntoskrnl is identical to the version on your XP SP3 CD is no indication or otherwise of infection, BUT IT PROVES YOU WERE, AND PROBABLY STILL ARE, VULNERABLE. On 24 Oct I received this LINK :- http://windowssecrets.com/comp/081024 This told me of a vulnerability that permits malware installation with "no interaction required from the end user". It also advised that exploits had been seen in the wild, which is why M.$ published KB958644 on 22 Oct to deal with this, and did not wait for Patch Tuesday. I immediately emailed a warning to friends and relatives, and then permanently disconnected from the Internet until I had scanned my system, purged unwanted / temporary files, and added a fresh disc image to the archive in case Security patch KB958644 damaged my system. I then allowed KB958644 to enter. Consequences of KB958644 included the installation of 4 off nt. files, one of which was ntoskrnl.exe. All 4 files were dated 14/08/2008, suggesting the final version was tested for less than 9 weeks before M.$ panicked and did an EMERGENCY update. The problem is NOT an infected ntoskrnl.exe. I do not know if the vulnerability is a defect in ntoskrnl.exe or some other part of the system. I am however CONFIDENT that M.$ have chosen to modify ntoskrnl.exe as one aspect of dealing with the problem, and anyone not using the latest version is vulnerable. I have Hot-Fixes and un-installers for several versions of ntoskrnl.exe going back several years. I guess every one of them permit this exploit. XP SP3 CD was probably issued before 22 Oct, so your ntoskrnl.exe is probably dated long before 14/08/2008, in which case you are still subject to this vulnerability. Please note that I recognise I tend to overreact whenever I can. I like to think that this is why, after more than 30 years of computer experience, the only virii I EVER had to eliminate were the infestations with the games my son brought home from school on 5.25" floppy discs !!! On a brighter note, congratulations on getting your Hard drive back under control. Regards Alan Thanks again, I suppose. As I said before... how would this worm affect me after a clean install? After installing video and audio drivers by first boot (no network drivers), I got the "Disk read error", missing or corrupt ntoskrnl.exe, missing or corrupt hal.dll, etc. Trust me, I know the processes that should run on my computer, and if I see one appear without warning or a program installation, I end it.. if it reappears, it is surely malware, and I begin my quick removal process involving using process explorer to kill the process and delete it. I often find IExplore.exe running at this point as well, and proceed to delete the hijacking dlls that have caused it to spawn without being asked. I've also detected malware problems simply from CPU usage- winlogon, for example, which generally means I have to visit my WLNotify key in the registry and check for strange entries and remove the entries and the files. The only thing that has EVEN come close to stumping me was a rootkit, which was quickly subdued thanks to RootKitRevealer. Hi I never said, nor intended to imply, that ntoskrnl.exe was infected, only that an obsolete version shows the latest emergency security patch has not been applied. I fully agree that any worm that previously existed will be eliminated by the clean install of Windows; BUT without that latest emergency security patch the raw operating system will remain vulnerable, though hopefully it should have protection from any anti-virus protection and firewall. Several times a day I get a new virus signature update from ESET. It is nice to think they are on the ball. It is disturbing to think they determined this new signature from a new infection Yesterday, and to wonder when the Fickle Finger of Fate will choose my computer to receive the infection that will give them information for tomorrow's signature update !!! This is why I like to have all the protection I can get, which regrettably means accepting all relevant security patches. That is my life style choice. You have made a slightly different choice and are taking more responsibility for supervising your own security. That is O.K. too. I accept that you have your computer under your control. Regards Alan Yours is a much more cautious (and smart, I'll admit) route- I prefer the cold thrill of living on the bleeding edge of DANGER! Will it Boot? Do my files still exist? WHO KNOWS! I don't even run anti-virus or firewall software and yet only trojans have managed to ever get into my computer so far! But genuinely- thanks for the information on the flaw, I wouldn't have known otherwise about the flaw. Perhaps I will research it to determine just how much of a threat it poses to me, and what it enables malware to do.

Answer»

Just a side note:
I have XP installed to a FAT32 partition and to an NTFS partition on my benchtest machine and the FAT32 install has far fewer issues over the long haul...
Side note 2: Data Lifeguard Tools works great for WD drives...i run the DOS bootable version i don't care much for the Windows version but to each his own.Quote from: patio on November 05, 2008, 08:33:43 AM

Just a side note:
I have XP installed to a FAT32 partition and to an NTFS partition on my benchtest machine and the FAT32 install has far fewer issues over the long haul...
Side note 2: Data Lifeguard Tools works great for WD drives...i run the DOS bootable version i don't care much for the Windows version but to each his own.

good, I plan on sticking with FAT32 for my system drive- wish I thought of it earlier, I would have just used partition magic to convert my system drive to FAT32, without needing a clean install.

Quote from: ALAN_BR on November 05, 2008, 07:00:27 AM

Hi

I fear you misunderstood the situation.

The fact that ntoskrnl is identical to the version on your XP SP3 CD is no indication or otherwise of infection,
BUT IT PROVES YOU WERE, AND PROBABLY STILL ARE, VULNERABLE.

On 24 Oct I received this LINK :-
http://windowssecrets.com/comp/081024
This told me of a vulnerability that permits malware installation with "no interaction required from the end user". It also advised that exploits had been seen in the wild, which is why M.$ published KB958644 on 22 Oct to deal with this, and did not wait for Patch Tuesday.
I immediately emailed a warning to friends and relatives, and then permanently disconnected from the Internet until I had scanned my system, purged unwanted / temporary files, and added a fresh disc image to the archive in case Security patch KB958644 damaged my system.

I then allowed KB958644 to enter.

Consequences of KB958644 included the installation of 4 off nt*.* files, one of which was ntoskrnl.exe. All 4 files were dated 14/08/2008, suggesting the final version was tested for less than 9 weeks before M.$ panicked and did an EMERGENCY update.

The problem is NOT an infected ntoskrnl.exe. I do not know if the vulnerability is a defect in ntoskrnl.exe or some other part of the system. I am however CONFIDENT that M.$ have chosen to modify ntoskrnl.exe as one aspect of dealing with the problem, and anyone not using the latest version is vulnerable.

I have Hot-Fixes and un-installers for several versions of ntoskrnl.exe going back several years. I guess every one of them permit this exploit.

XP SP3 CD was probably issued before 22 Oct, so your ntoskrnl.exe is probably dated long before 14/08/2008, in which case you are still subject to this vulnerability.

Please note that I recognise I tend to overreact whenever I can. I like to think that this is why, after more than 30 years of computer experience, the only virii I EVER had to eliminate were the infestations with the games my son brought home from school on 5.25" floppy discs !!!

On a brighter note, congratulations on getting your Hard drive back under control.

Regards
Alan

Thanks again, I suppose.

As I said before...

how would this worm affect me after a clean install? After installing video and audio drivers by first boot (no network drivers), I got the "Disk read error", missing or corrupt ntoskrnl.exe, missing or corrupt hal.dll, etc.

Trust me, I know the processes that should run on my computer, and if I see one appear without warning or a program installation, I end it.. if it reappears, it is surely malware, and I begin my quick removal process involving using process explorer to kill the process and delete it. I often find IExplore.exe running at this point as well, and proceed to delete the hijacking dlls that have caused it to spawn without being asked.

I've also detected malware problems simply from CPU usage- winlogon, for example, which generally means I have to visit my WLNotify key in the registry and check for strange entries and remove the entries and the files.

The only thing that has EVEN come close to stumping me was a rootkit, which was quickly subdued thanks to RootKitRevealer.

Hi

I never said, nor intended to imply, that ntoskrnl.exe was infected,
only that an obsolete version shows the latest emergency security patch has not been applied.

I fully agree that any worm that previously existed will be eliminated by the clean install of Windows;
BUT without that latest emergency security patch the raw operating system will remain vulnerable, though hopefully it should have protection from any anti-virus protection and firewall.

Several times a day I get a new virus signature update from ESET.
It is nice to think they are on the ball.
It is disturbing to think they determined this new signature from a new infection Yesterday, and to wonder when the Fickle Finger of Fate will choose my computer to receive the infection that will give them information for tomorrow's signature update !!!

This is why I like to have all the protection I can get, which regrettably means accepting all relevant security patches.
That is my life style choice.
You have made a slightly different choice and are taking more responsibility for supervising your own security. That is O.K. too.

I accept that you have your computer under your control.

Regards
Alan
Yours is a much more cautious (and smart, I'll admit) route- I prefer the cold thrill of living on the bleeding edge of DANGER!

Will it Boot? Do my files still exist? WHO KNOWS!

I don't even run anti-virus or firewall software

and yet only trojans have managed to ever get into my computer so far!

But genuinely- thanks for the information on the flaw, I wouldn't have known otherwise about the flaw. Perhaps I will research it to determine just how much of a threat it poses to me, and what it enables malware to do.

Solve : Desperately in need of advice...?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment