[happyrock]

you can reinstall all the apps from cd if possible that way you know there not infected...
your data is a different story...you should scan them using many different scanners as none catch everything...each has strengths and weaknesses...
with that said do you really need to put all your data back on the fresh install...
whatever AV you chose it should have heuristic scanning capabilities...

Heuristic scanning is similar to signature scanning, except that instead of looking for specific signatures, heuristic scanning looks for certain instructions or commands within a program that are not found in typical application programs. As a result, a heuristic engine is able to detect potentially malicious functionality in new, previously unexamined, malicious functionality such as the replication mechanism of a virus, the distribution routine of a worm or the payload of a trojan.

[Advertisements]

Those additional comments are appreciated h.

I agree that I should be fairly safe with applications. One area of doubt is the add-ons for Chrome - I'm not sure how I can know that I'm safe with those. E.g. addblockplus, noflash, notscript.

My personal data is the big remaining issue. One of the files that I regard as highly suspicious kept changing its size on my hard drive (without me doing anything !) I submitted it to virscan.org for testing but no malware was found. I therefore wonder if the malware was encrypted/compressed before being attached to my file.

Now that I have a Boot CD I have attached my backup drive to the desktop and run Avira (mid-Jun 2010 version). What do you know it found TR/Crypt.ULPM.Gen on the backup drive. The virus is in two files named De19.dat and De5.zip which are located in \RECYCLER\S-1-5-21-xxx-xxx-xxx-1003\.

The xxx each represent 7 or 9 digit numbers (available) and that folder is hidden.

This detection seems like progress.

What I'm not sure of is whether my desktop PC would be infected if I connected that backup drive (it's a USB device) and copied my personal files back to the PC's hard drive. USB mass-storage devices aren't supposed to execute anything when you connect them to the PC (if you have the latest MS patches). However if they present themselves as CD-ROMs then they do execute stuff. My USB broadband modem does this.

[trampas]

Those additional comments are appreciated h.

I agree that I should be fairly safe with applications. One area of doubt is the add-ons for Chrome - I'm not sure how I can know that I'm safe with those. E.g. addblockplus, noflash, notscript.

My personal data is the big remaining issue. One of the files that I regard as highly suspicious kept changing its size on my hard drive (without me doing anything !) I submitted it to virscan.org for testing but no malware was found. I therefore wonder if the malware was encrypted/compressed before being attached to my file.

Now that I have a Boot CD I have attached my backup drive to the desktop and run Avira (mid-Jun 2010 version). What do you know it found TR/Crypt.ULPM.Gen on the backup drive. The virus is in two files named De19.dat and De5.zip which are located in \RECYCLER\S-1-5-21-xxx-xxx-xxx-1003\.

The xxx each represent 7 or 9 digit numbers (available) and that folder is hidden.

This detection seems like progress.

What I'm not sure of is whether my desktop PC would be infected if I connected that backup drive (it's a USB device) and copied my personal files back to the PC's hard drive. USB mass-storage devices aren't supposed to execute anything when you connect them to the PC (if you have the latest MS patches). However if they present themselves as CD-ROMs then they do execute stuff. My USB broadband modem does this.

[happyrock]

try deleting everything in the RECYCLER folder...you don't need any of those on your backup drive...
if you have problems deleting them use a live linux cd like puppy linux and boot from the cd and delete them all that way

What I'm not sure of is whether my desktop PC would be infected if I connected that backup drive (it's a USB device) and copied my personal files back to the PC's hard drive.

yes that's exactly how you could reinfect your computer...
you have several choices on your data...
use a VM...or use a sandbox to open your data to see what it does

One area of doubt is the add-ons for Chrome - I'm not sure how I can know that I'm safe with those. E.g. addblockplus, noflash, noscript.

those are fine...just get them using chrome

[trampas]

Cheers h, some great advice there.

Can I just clarify one thing ? Let's say I didn't immediately delete the RECYCLER folder on the backup drive. I could be risking re-infection of my desktop PC but at which stage would that be :
i) Booting windows normally and plugging in the USB backup drive
ii) Do (i) then perform a copy of one or more files from the backup to the hard drive
iii) Do (i) & (2) then do something with a suspect RTF file with WordPAD or WORD.

My understanding is that I can safely connect the backup drive to any suitably-patched XP system. One possible advantage of doing this would be to connect the backup drive to my laptop. I could then run Avira on the laptop, scan the backup drive and wait to see if it finds the 2 Trojans. If it does then it probably means (to my thinking) that there's no rootkit on the laptop. Not certain that that's true, but the inverse ought to be : if no Trojan is found then this confirms there IS a rootkit on the laptop.

EDIT: In step (i) what if the backup drive is secretly presenting itself as a CD drive ? I couldn't see an AUTORUN.INF on the backup drive but my knowledge of what could happen is very limited. Your comments would be appreciated.


Separately, I'm thinking about using sandboxie on the desktop PC with WORD. I could then open a suspicious RTF file with sandboxed WORD to see what happens. If sandboxie gives no warnings then at least I know it's safe to open these RTF files. Is that what you were thinking ?

t.

Edited by trampas, 07 March 2012 - 03:28 PM.

[happyrock]

Can I just clarify one thing ? Let's say I didn't immediately delete the RECYCLER folder on the backup drive. I could be risking re-infection of my desktop

not unless you open one of the files there that is infected...

at which stage would that be :

i) Booting windows normally and plugging in the USB backup drive]

no...

ii) Do (i) then perform a copy of one or more files from the backup to the hard drive

yes if its infected and you open it...
like I said before you should scan that drive repeatedly with many different scanners

iii) Do (i) & (2) then do something with a suspect RTF file with WordPAD or WORD.

yep...either convert the RTF file to a doc or txt file
or us linux to print the RTF...then using OCR software scan it (the linux version) then read it to be sure its right...then save it in any format you choose...

[trampas]

I've conducted a few tests but I'll just give this one result initially.

I deleted the RECYCLER folder from the backup drive. I then ran the ESET online scanner on my desktop PC whilst the backup drive was connected.

The only detections were in UBCD4Win which I presume are false positives. There were 4 altogether, in each case it was 'win32/Prcview application'.

I could run some further online scans.

t.

[happyrock]

UBCD4Win which I presume are false positives

yep...they are false positives...

I could run some further online scans.

yep...that's a good plan...
NOTE all the online scanners will flag UBCD4Win...don't worry its safe

[trampas]

Some more scanners that I could use :
bitdefender
kaspersky
virus total
trendmicro
jotti
f-secure
symantec
avg
mcafee
microsoft

Any thoughts on that lot ?

I've downloaded a trial copy of ConvertDoc from Soft Interface. This will perform a conversion of RTF to DOC and it will recurse sub-directories (I think). So I'll give that a go. The objective is to end up with some form of document that has had the padding (i.e. the encrypted malware) removed. So if I convert an RTF to a DOC I should then be able to open the DOC with WORD, select all, copy to clipboard, paste to a new DOC, save it and end up with a second DOC file about the same size as the first.

Whether the padding is removed or not the DOC version of a given file (of mine) ought to be smaller than the RTF. This is because most of my files contain tables and these seem to be handled more efficiently in DOCs than in RTFs.

t.

[happyrock]

if your talking about free online scanners then kaspersky is probably the best but it only scans...it will not remove anything
some of the others will also remove malware...if I could only choose 1 it would be kaspersky

[trampas]

Just my luck - the kaspersky online scanner is 'offline' LOL. A new better version 'coming soon' !

Here's what I found with the test that I devised for a padded RTF file :

File1.rtf (suspicious) size 1683 KB
File2.rtf (screen-scraped copy of File1.rtf) size 1222 KB
File1.doc (converted version of File1.rtf) size 913 KB
File2.doc (screen-scraped copy of File1.doc) size 1016 KB
File3.doc (SaveAs copy of File2.doc) size 1016KB

All good but a surprise increase in size for File2.doc. Go figure !


EDIT: Just for good measure :

File4.doc (converted version of File2.rtf) size 909 KB

doesn't seem unreasonable but size=913KB would have been a nice outcome.

t.

Edited by trampas, 09 March 2012 - 01:53 AM.

[trampas]

I've been using the desktop PC for a few weeks. I've noticed a few odditites. Perhaps the most significant one is the behaviour of WORD. If I open a particular DOC file (possibly any DOC would do), then immediately close it, I get asked "Do you want to save the changes ?". If I perform that cycle repeatedly, without ever saving the alleged change, I get asked the question about 8 times out of 10.

I haven't done anything with the NORMAL.DOT file.

I suspect this is virus activity.

I'm generally using a restricted user on this PC. Whenever I log out/reboot I get a message that ZoneAlarm is not responding, so I have to choose the 'End Now' option. I don't get this with the administrator account.

The PC is back to the point now where it frequently performs a file system check when I boot it up. Sometimes the files recovered are part of the Avira package.

My feeling is that the PC has been re-infected by my WORD DOCs/RTFs. I booted from UBCD4WIN and ran several virus checkers including Avira. Nothing was detected. Root Kitty did not detect a rootkit (assuming I used the app correctly - when I clicked COMPARE there was no confirmation that any action had been performed). Note that this CD has the virus definitions as they were in 2010.

Edited by trampas, 25 March 2012 - 10:09 PM.

[happyrock]

you should start a new topic in the malware forum because you suspect malware...
that is the only forum that you can get advice in on anything malware related...
post a link to this topic for them when you do...