Well, I just got the sh*t kicked out of me by a virus...

Discussion in 'FirstDefense-ISR Forum' started by chrome_sturmen, Aug 20, 2007.

Thread Status:
Not open for further replies.
  1. chrome_sturmen

    chrome_sturmen Registered Member

    Joined:
    Apr 29, 2006
    Posts:
    785
    Location:
    Sverige
    Ok, I keep a snapshot with everything on it I need, server 2003 and I consider it my flagship. Recently, I decided it would be a good idea to make an xp snapshot just for gaming, so I wouldnt have all those services running like I do on server 2003- so I set to that task. Over the course of about a week now, i've been slowly building up my xp snapshot for the purpose of playing games(though i'm not a big gamer). Eventually I got to thinking "do i really wanna keep this snapshot totally offline?" so I threw a firewall and antivirus on it so I could get online a little from that snapshot. Anyways, today I was about all done setting up my game snapshot, I wouldve been finished today....

    I was kicking around looking through program cracks and downloaded one, and for whatever reason, I didnt have nod32's file system monitor enabled. I got a virus- and I turned on nod32s file system monitor, it starting giving warnings every split second, saying all these processes, including itself, was a virus... including isr service. Now I had not yet created an archive of my game snapshot, but I decided to go ahead and cut my losses and delete the snapshot- so I booted back over to server 2003, and everything was ok, till i ran first defense isr to delete the snapshot- apparently, the virus had latched onto isr service, and when I ran it from server 2003, I started getting the same behavior as I had over on xp- avira went nuts, and I couldnt do anything about it, there was just nothing I could do. I couldnt get to my other snapshots because isr wouldnt run.

    So, I went and dug out my server 2003 disc, installed it fresh- then I installed first defense, and pointed it to my archived snapshots. I copied back over my main server 2003 snapshot ( which was only about 3 days old ), booted into it, then deleted the fresh install snapshot. I'm now in the process of copying back over my other small snapshots. If i'd not had those archived snapshots, i'd be starting completely from scratch. If i'd archived the game snapshot id still have it too, but I wasnt ready to archive it yet, and I just didnt think anything would happen.

    After thinking it over, maybe its not such a great idea for me to keep a snapshot just for gaming- it was beginning to take on a life of its own and I just dont need that complexity, id rather install my games on server 2003 along with the rest of my stuff and maybe close a few services before I play or somethin.

    Anyways, that virus sure knocked me on my ass- it took out both my main snapshots- it was the archives that saved me in the end. I sorta wish i'd archived that gaming snapshot, just so i'd have the option of restoring it if I wanted, but thats life- I try to think of every mistake as a chance for me to learn something and come back stronger, and to learn the good points of being wary. I never had been hit by a virus ever, but today I was, and it nearly took my system out and caused me a lot of time, but thanks to first defense I managed to stave it off- I have only my own foolhardiness to thank for the trouble I created, had I thought before I acted it never wouldve happened.

    So, 3 lessons from this are:

    Keep archived snapshots of everything and auto update them daily, and
    Keep your antivirus's file system monitors enabled, and
    Be careful fooling around with cracks etc....


    I just lost a week's work, but it couldve been far worse
     
  2. tradetime

    tradetime Registered Member

    Joined:
    Oct 24, 2006
    Posts:
    1,000
    Location:
    UK
    Glad to see you weathered the storm, thanks for sharing, a good reminder to us all.
     
  3. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,054
    Hi Chrome

    Couple of thoughts. First have you considered something like ReturnIL or Sandboxie for that kind of play. ReturnIL should have dumped it on reboot, and Sandboxie does great at containment.

    Your are absolutely right about frequent updates of Archives. To that I'd add imaging like Acronis or Shadowprotect. That would have made recovery even quicker.
     
  4. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    I think ErikAlbert should see this thread...

    Well, that goes without saying, doesn't it? ;)

    NEVER go to crack sites. Porn sites are not bad, warez sites are not bad neither are torrent sites. These (dedicated crack sites) are the real malicious ones. I know a dozen stories identical as yours. I'm sorry that you had to learn your lesson the hard way :doubt: Why on earth did you have your NOD's resident protection disabled when surfing crack sites and downloading stuff? This was rather irresponsible :mad:
    However, this thread is a good feedback on how FDISR should not be used as a security app. Another reminder that every app has it's place... and purpose.

    Cheers,
     
  5. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    Hi, folks: I am glad that FD-ISR's archives snapshot saved your bacon. I remember that FD-ISR strongly recommends to put archives snapshot on a different partition, I do not know whether this is so in your case, but anyway you have survived. Happy for you.
     
  6. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Let me ask, how the virus was able to infect both snapshots?
    I heard of it first time. Until now I thought it to be possible in theory only.
     
  7. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,054
    Aigle

    FDISR isn't security software. Everything is uses is on the hard drive. It is only protected by Windows XP permissions. If FDISR can elevate permissions to copy across, so can malware.

    It becomes more protective if you keep archives off disk.

    Pete
     
  8. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    Hey chrome: thanks for posting that.
    Respect: Very humble of you :)
    Echo to all those comments about keeping a schedule of some sort re archives, etc: so easy to forget and then remember what a fecking pain a recovery is.

    Did you catch it: send it anywhere, anything able to stop it?

    Good "snapshot" of recovery with that little jewel FDISR.

    Said it before: FDISR is my cornerstone and BING my spine.

    Defence Wall: nudge nudge

    lol so easy to be wise after the event.....:shifty:

    regards.
     
  9. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I understand this.
    I am just surprized as this is the first actual event of this type. So far it was just a theory as we thought of actually exploiting FDISR that will have very very low chances. But now I know that even some malware messing with awindows services can mess with FDISR and there may be other possibilities too, short of actually exploiting FDISR.

    BTW i still doubt that it happened so. May be both snapshot infected separately. Not sure.
     
  10. chrome_sturmen

    chrome_sturmen Registered Member

    Joined:
    Apr 29, 2006
    Posts:
    785
    Location:
    Sverige
    Thanks guys for the replies and interests. I just dont quite know what happened. Nod32 wouldnt function on the infected snapshot, it kept finding everything including itself to be a virus. I couldnt install anything, I kept getting errors- I couldnt install java so I could do an online trend micro scan. Then once I booted back over to my main server 2003 snapshot, I scanned the isr folders with both trojan remover and avira- but nothing was found. Everything was fine on that main snapshot until I brought up isr for the purpose of deleting the bad snapshot- then the problem migrated to my good snapshot, too. I just didnt see a choice but to nuke all snapshots and restore from archives. If i'd just archived my gaming snapshot earlier in the day, I wouldve lost literally nothing, except a little time. No matter how many fail safes I have in reserve, it seems like something, somewhere, in one form or another, usually eventually gets me, and hampers my progress towards setting up the computer for a good computing experience. This is usually due to my own oversights-
    I tend to get too comfortable after awhile with no trouble, and I get over confident. Then a minute's indiscretion is all thats needed, to cause yourself a potentially big problem, and set back progress. Fortunately for me, these setbacks are getting more minor as time goes along.

    I will be brushing up even more now on my defenses, and instituting more self discipline as regards archiving my snapshots and updating my acronis disk images.

    All in all im contented, because I could've got hit alot harder than I did.

    Thanks again for the advices/feedback :D
     
  11. chrome_sturmen

    chrome_sturmen Registered Member

    Joined:
    Apr 29, 2006
    Posts:
    785
    Location:
    Sverige
    It did happen so- I did not infect my good snapshot once the other one was infected. All I did was run first defense for deleting the bad snapshot, and once I did that the infection spread to my good snapshot- i'm 100% positive of this.
     
  12. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    That in itself is interesting: if FDISR exe/services can be corrupted then unfortunately whole "on disc" snapshots might be lost and then neccessary to restore OS and .arx file :doubt:

    I hope Todd is looking at this.
    While I know FDISR is not "security" app, I have sort of regarded it as a buffer: lose one snap : boot to secondary etc.

    WOuld seem this might have implications for ROllBack ??

    If the actual processes are corrupted then = cooked goose. as happened: Swedish style ;)

    That was why I was wondering what the cockroach was and whether the way your FDISR was wrecked could be commented on.

    ADD What's to say Pete that the samething couldn't happen to your Shadowprotect exe or back-up processes? ( in the event of an inadvertent careless hex) although I recognise chrome had little or no protection running.
     
    Last edited: Aug 20, 2007
  13. chrome_sturmen

    chrome_sturmen Registered Member

    Joined:
    Apr 29, 2006
    Posts:
    785
    Location:
    Sverige
    The virus is in this torrent i downloaded:

    [Do not post links to cracks here - Blue]

    the file is called
    East-Tec.Eraser.2007.v8.5.2.100.Multilingual.Cracked.WinAll-BRD

    anyone who downloads it, be careful
     
    Last edited by a moderator: Aug 20, 2007
  14. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    whoo-hoo lucky users of that torrent :(
     
  15. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,054
    It could but I don't see it an issue. Both images and FDISR archives are off disk, with copies on external drive that is turned off.

    In this case Chrome knew he had a problem, so even if on disk SP processes are corrupted, you don't use them for recovery anyway. I doubt what hit him could corrupt a CD sitting on my desk, which is where the need processes are.

    When I restore, I am booting to a CD. Hard drive is out of the picture. First thing I do before starting restore is delete the volume. Don't see anyway anything on the drive could have any effect.
     
  16. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Hmmm.... just in time to copy that link.
    If I have ever time, I will try it out to test my frozen snapshot and my poor security setup. :D
     
  17. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    @Peter2150
    Sure
    I thought I recalled you saying you were running a high frequency incremental back-up schedule and that was what my question was directed at.

    @E-A
    lol
     
  18. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,634
    Location:
    U.S.A. (South)
    Capital idea! Always and everywhere keep ARCHIVES of your most cherished snapshots on alternative media like another hard drive or other of your choice and FD-ISR will save your skin. Imaging of course is the very last line of emergency restore relief, but in most cases FD-ISR, " .arx archives" are the key to putting Humpty-Dumpty back together again, and all in one piece as before.

    It's one amazingly piece of work that any user will find as a trusting apparatus they really can turn to in event of such a catastrophe.
     
  19. Huupi

    Huupi Registered Member

    Joined:
    Sep 2, 2006
    Posts:
    2,024
    How guys do you prevent disaster which the Archive locations [physical,virus,theft,fire,flood etc.] Which measures you take,in general i guess the archives are more important to us than you current int. harddisks which can be replaced easily.So it eased me something to have multiple copies of all archives on multiple locations,maybe very reduntant but you never ever know........better save then sorry.
     
  20. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,054
    Yes. Make copies of internal drives and images on external USB drives which are turned off as we ... err.. speak.
     
  21. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,054
    I am, but when that is running, that machine, while online, it is behind a router, OA and Prosecurity. Also should a browser be used it's sandboxed. Only the safest of on line activity, not only during business, but in general on that machine.

    Even if I did something that caused a problem, I'd know when I did it.

    Besides Longboard, even with my worst surfing, I've never triggered my AV's. Thats why now the only place I even run one is in my VM machine, that I do push to limits at times.

    Pete
     
  22. chrome_sturmen

    chrome_sturmen Registered Member

    Joined:
    Apr 29, 2006
    Posts:
    785
    Location:
    Sverige
    Good question huupi- I myself just have one archive of each snapshot on a seperate disk from my operating system, in a folder called "images/first defense isr".

    I don't think the virus I caught specifically targeted first defense, it just infected many things and it was one of them. I guess it wouldn't be a bad idea to keep more than one copy of the archives, maybe on an external drive, or at least on another location on your system. Now if there were virrii specifically created to target .arx files, I may get worried, but I don't think that's an issue at present, so I tend to feel fairly secure with one archive of each snapshot and an acronis image of the entire drive. Large hard disks are really nice in that they afford the plenty of space needed for one to keep things such as multiple backups, without sacrificing other things.

    One thing to consider- is that first defense doesnt come with a rescue cd, with which you could boot from dos and recover with a backup of your choosing, you only can recover from archives in one specific location. The aforementioned ability is usually the realm of traditional imaging applications, which first defense is not (though obviously it holds it's own niche).
    Meaning you'd have to do as I did- install windows fresh, install first defense, then copy over your archive and then boot to it.
    Whereas with most imaing applications, you can put it's rescue media in the drive, and use the software to specify an image you want to restore, and it's all done from dos- a couple steps less. The best method I think, is using a combination of both methods in addition to file/folder mirroring applications. These 3 ways seem to harmonize very well for me.


    -
    By the way as an update, i've already caught up and then passed the point I was at when the virus hit me, in the progress of setting up my system to my liking- thanks to first defense-

    Thanks you guys, for all the help and comraderie ;-)
     
  23. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I think it is a good idea to keep images and archives, that are based on a fresh installation, because they are as clean as possible.
    When I install my computer from scratch, I avoid any internet connection as much as possible.
    Unfortunately, more and more software companies make a 100% off-line installation impossible.
    So sometimes I have to go on-line, but I keep these internet connections as short as possible.

    During this re-installation and configuration, I can create clean images and archives at crucial moments, put them aside and use them only for restoration, not for daily backup or archive.
    After awhile these images and archives will get out-of-date, but they are at least clean and a good start to get my computer back in a healthy state.

    That is the main reason, why I will re-install my computer in September.
    To get these clean images and archives to avoid a total manual re-install and configuration from scratch in the future.

    Where you store all your images and archives is a separate problem.
     
  24. Huupi

    Huupi Registered Member

    Joined:
    Sep 2, 2006
    Posts:
    2,024
    Which ever dropping prices on harddisks ,it should't be problem to create more locations on different disks. My primary[worksnapshot] be continually updated/refreshed with a primary archived snapshot(vice versa)along i keep a archived snapshot(primary copy) which is updated once a week.Why ? If my working primary collapse at some time, and just very recently before i did an update to mine archive,then i can't recover by refreshing my primary with the archive because both are almost identical !So i use my "once in a week snapshot"to recover easily. Beyond all this everything is covered by Shadow Protect so there are several strategies to use to recover !
     
  25. twl845

    twl845 Registered Member

    Joined:
    Apr 12, 2005
    Posts:
    4,186
    Location:
    USA
    Please excuse my ignorance but I've never heard of "cracks". Can anyone explain what they are? Thanks. :)
     
    Last edited by a moderator: Sep 28, 2007
Thread Status:
Not open for further replies.