Change boot driver process.

OSR_Community_User · January 18, 2009, 5:40am

Have a way to change the driver boot process or put my driver before others load in Windows?

Mark_Roddy · January 18, 2009, 7:02am

You have some control over load order but not device start order. So
your DriverEntry routine will get invoked using the legacy NT4 load
ordering but AddDevice and StartDevice are invoked based on PnP
enumeration.

On 1/18/09, xxxxx@hotmail.com wrote:
> Have a way to change the driver boot process or put my driver before others
> load in Windows?
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

–
Mark Roddy

Doron_Holan · January 18, 2009, 11:20am

What are you trying to do by changing the boot order? There might be an easier way to do what you want without touching the boot order

d

Sent from my phone with no t9, all spilling mistakes are not intentional.

-----Original Message-----
From: xxxxx@hotmail.com
Sent: Sunday, January 18, 2009 2:41 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Change boot driver process.

Have a way to change the driver boot process or put my driver before others load in Windows?

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

OSR_Community_User · January 18, 2009, 1:56pm

Well, We are trying to build an application using NT Native Api.
This application is for to delete some files used by a trojan, with most
popular AV don´t detect here and also don´t delete the main files.
The problem is:
This trojan install a .sys(Image sys Driver) with protects, all files used
by trojan to be deleted in boot process.
In other way, we cannot change any information from the registry, about this
trojan, because in Windows Environment, this trojan have a dll hooking any
change into their registry values, blocking the changes and in some cases,
rolling back any changes, we try to do, and of course, we cannot delete
those files, because, this dll, protect´s all yours owns files, including
the .sys file.
We try to insert a function native from NT, such as NTUnload, but don´t
work, I think because the driver don´t have a section with instructions to
unload the driver.
We can delete this files using NTDeleteFIle from NT Native Api, in our
executable, because the driver from trojan load before US, blocking the
function and we see a message(STATUS_SHARING_VIOLATION). So, we don´t have
any ideas to delete this files, they don´t infect any other´s files, they
only intall Yours own files to monitoring PC activity and to try get Bank
Information.
So we don´t have more any ideas how we can delete the files.

Can someone help us?

By the way, if is needed, we can send here, or in private e-mail our source
code, witch we try to delete this files, who we build a smaller application
in NT Native Api.

Thanks for Your help.

From: “Doron Holan”
Sent: Sunday, January 18, 2009 2:19 PM
To: “Windows System Software Devs Interest List”
Subject: RE: [ntdev] Change boot driver process.

> What are you trying to do by changing the boot order? There might be an
> easier way to do what you want without touching the boot order
>
> d
>
> Sent from my phone with no t9, all spilling mistakes are not intentional.
>
> -----Original Message-----
> From: xxxxx@hotmail.com
> Sent: Sunday, January 18, 2009 2:41 AM
> To: Windows System Software Devs Interest List
> Subject: [ntdev] Change boot driver process.
>
>
> Have a way to change the driver boot process or put my driver before
> others load in Windows?
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

OSR_Community_User · January 18, 2009, 2:19pm

And the trojan dll use winlogon.exe to still in memory, but when we try to
close winlogon, they use System to stay in activity. we try to stop the
service, but we allways receive a information we do not have rights to do
this action, and I beliave, they don´t have a function STOP in the main dll
from Services. All steps was testing in Windows Environment also in Safe
Mode environment don´t work.

From: “Samir Sousa”
Sent: Sunday, January 18, 2009 4:55 PM
To: “Windows System Software Devs Interest List”
Subject: Re: [ntdev] Change boot driver process.

> Well, We are trying to build an application using NT Native Api.
> This application is for to delete some files used by a trojan, with most
> popular AV don´t detect here and also don´t delete the main files.
> The problem is:
> This trojan install a .sys(Image sys Driver) with protects, all files used
> by trojan to be deleted in boot process.
> In other way, we cannot change any information from the registry, about
> this trojan, because in Windows Environment, this trojan have a dll
> hooking any change into their registry values, blocking the changes and in
> some cases, rolling back any changes, we try to do, and of course, we
> cannot delete those files, because, this dll, protect´s all yours owns
> files, including the .sys file.
> We try to insert a function native from NT, such as NTUnload, but don´t
> work, I think because the driver don´t have a section with instructions to
> unload the driver.
> We can delete this files using NTDeleteFIle from NT Native Api, in our
> executable, because the driver from trojan load before US, blocking the
> function and we see a message(STATUS_SHARING_VIOLATION). So, we don´t have
> any ideas to delete this files, they don´t infect any other´s files, they
> only intall Yours own files to monitoring PC activity and to try get Bank
> Information.
> So we don´t have more any ideas how we can delete the files.
>
> Can someone help us?
>
> By the way, if is needed, we can send here, or in private e-mail our
> source code, witch we try to delete this files, who we build a smaller
> application in NT Native Api.
>
> Thanks for Your help.
>
> --------------------------------------------------
> From: “Doron Holan”
> Sent: Sunday, January 18, 2009 2:19 PM
> To: “Windows System Software Devs Interest List”
> Subject: RE: [ntdev] Change boot driver process.
>
>> What are you trying to do by changing the boot order? There might be an
>> easier way to do what you want without touching the boot order
>>
>> d
>>
>> Sent from my phone with no t9, all spilling mistakes are not intentional.
>>
>> -----Original Message-----
>> From: xxxxx@hotmail.com
>> Sent: Sunday, January 18, 2009 2:41 AM
>> To: Windows System Software Devs Interest List
>> Subject: [ntdev] Change boot driver process.
>>
>>
>> Have a way to change the driver boot process or put my driver before
>> others load in Windows?
>>
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

Maxim_S_Shatskih · January 18, 2009, 3:28pm

> This application is for to delete some files used by a trojan, with most

popular AV don?t detect here and also don?t delete the main files.
The problem is:
This trojan install a .sys(Image sys Driver) with protects, all files used
by trojan to be deleted in boot process.

The tool to delete this trojan should be runned off a separately booted recovery WinPE CD.

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

OSR_Community_User · January 18, 2009, 3:30pm

The problem is do it in 2500 computers, and also a problem if the trojan
reinstall in OS, because this, we try to build a solution to do this allways
when windows starts. We have Sations in other countrys, I think the best
solution to us is develop a solution.

Regards.

From: “Maxim S. Shatskih”
Sent: Sunday, January 18, 2009 6:27 PM
Newsgroups: ntdev
To: “Windows System Software Devs Interest List”
Subject: Re:[ntdev] Change boot driver process.

>> This application is for to delete some files used by a trojan, with most
>> popular AV don´t detect here and also don´t delete the main files.
>> The problem is:
>> This trojan install a .sys(Image sys Driver) with protects, all files
>> used
>> by trojan to be deleted in boot process.
>
> The tool to delete this trojan should be runned off a separately booted
> recovery WinPE CD.
>
> –
> Maxim S. Shatskih
> Windows DDK MVP
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

Maxim_S_Shatskih · January 18, 2009, 3:32pm

Have you sent it to the virus analysts like Kaspersky?

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

“Samir Sousa” wrote in message news:xxxxx@ntdev…
> The problem is do it in 2500 computers, and also a problem if the trojan
> reinstall in OS, because this, we try to build a solution to do this allways
> when windows starts. We have Sations in other countrys, I think the best
> solution to us is develop a solution.
>
> Regards.
>
> --------------------------------------------------
> From: “Maxim S. Shatskih”
> Sent: Sunday, January 18, 2009 6:27 PM
> Newsgroups: ntdev
> To: “Windows System Software Devs Interest List”
> Subject: Re:[ntdev] Change boot driver process.
>
>>> This application is for to delete some files used by a trojan, with most
>>> popular AV don?t detect here and also don?t delete the main files.
>>> The problem is:
>>> This trojan install a .sys(Image sys Driver) with protects, all files
>>> used
>>> by trojan to be deleted in boot process.
>>
>> The tool to delete this trojan should be runned off a separately booted
>> recovery WinPE CD.
>>
>> –
>> Maxim S. Shatskih
>> Windows DDK MVP
>> xxxxx@storagecraft.com
>> http://www.storagecraft.com
>>
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>

OSR_Community_User · January 18, 2009, 3:42pm

Yes I was. But until this moment we do not have response from they. So time
is money, because this we try to build a solution.

From: “Maxim S. Shatskih”
Sent: Sunday, January 18, 2009 6:32 PM
Newsgroups: ntdev
To: “Windows System Software Devs Interest List”
Subject: Re:[ntdev] Re:Change boot driver process.

> Have you sent it to the virus analysts like Kaspersky?
>
> –
> Maxim S. Shatskih
> Windows DDK MVP
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
> “Samir Sousa” wrote in message
> news:xxxxx@ntdev…
>> The problem is do it in 2500 computers, and also a problem if the trojan
>> reinstall in OS, because this, we try to build a solution to do this
>> allways
>> when windows starts. We have Sations in other countrys, I think the best
>> solution to us is develop a solution.
>>
>> Regards.
>>
>> --------------------------------------------------
>> From: “Maxim S. Shatskih”
>> Sent: Sunday, January 18, 2009 6:27 PM
>> Newsgroups: ntdev
>> To: “Windows System Software Devs Interest List”
>> Subject: Re:[ntdev] Change boot driver process.
>>
>>>> This application is for to delete some files used by a trojan, with
>>>> most
>>>> popular AV don´t detect here and also don´t delete the main files.
>>>> The problem is:
>>>> This trojan install a .sys(Image sys Driver) with protects, all files
>>>> used
>>>> by trojan to be deleted in boot process.
>>>
>>> The tool to delete this trojan should be runned off a separately booted
>>> recovery WinPE CD.
>>>
>>> –
>>> Maxim S. Shatskih
>>> Windows DDK MVP
>>> xxxxx@storagecraft.com
>>> http://www.storagecraft.com
>>>
>>>
>>> —
>>> NTDEV is sponsored by OSR
>>>
>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>> http://www.osr.com/seminars
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>>
>>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

David_R_Cattley · January 18, 2009, 3:58pm

Well, the system image you want to boot to clean the problem is compromised.
How do you know that the root-kit writers have not already found and
considered every hack to ensure that they load first and that no matter what
you come up with you are not already out-smarted by them.

Booting to a ‘read-only’ (locked) OS image that cannot be compromised by the
root-kit which can then remove it from the target boot environment is about
the only certain way you can clean something like this up and be sure you
have done so.

You can hope and wish and work as hard as you want. The bad-guys always are
a step ahead. Anything you can come up with they have already got an answer
for or will very quickly when you put your ‘solution’ into the field.

… and both are often wasted in large quantities when it comes to software.
I mean really, are your 2500 systems currently shutdown to prevent further
damage? Is this a ‘business stoppage’ issue? That surely can cost *way
more* than getting enough people to walk a boot cdrom around to all of the
systems and clean up the mess - even if you have to hire temporary help.
You can probably clean 10 systems / hour / person. What does that cost vs.
what you are trying to do?

Waste of time. It can *never* keep ahead of the malware. If you have 2500
infected systems you have a serious problem in procedure and deployment.
You need to solve that problem and keep the malware out.

“Keep your finger away from the saw-blade instead of perfecting surgical
re-attachment of fingers.”

Maybe you can deploy a WINPE image that can clean-up the situation
automatically to these systems. It is unlikely that the root-kit has the
chops to modify a .WIM image (but hey, maybe! - that will be next.)

Good Luck,
-Dave

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Samir Sousa
Sent: Sunday, January 18, 2009 3:42 PM
To: Windows System Software Devs Interest List
Subject: Re: Re:[ntdev] Re:Change boot driver process.

Yes I was. But until this moment we do not have response from they. So time
is money, because this we try to build a solution.

From: “Maxim S. Shatskih”
Sent: Sunday, January 18, 2009 6:32 PM
Newsgroups: ntdev
To: “Windows System Software Devs Interest List”
Subject: Re:[ntdev] Re:Change boot driver process.

> Have you sent it to the virus analysts like Kaspersky?
>
> –
> Maxim S. Shatskih
> Windows DDK MVP
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
> “Samir Sousa” wrote in message
> news:xxxxx@ntdev…
>> The problem is do it in 2500 computers, and also a problem if the trojan
>> reinstall in OS, because this, we try to build a solution to do this
>> allways
>> when windows starts. We have Sations in other countrys, I think the best
>> solution to us is develop a solution.
>>
>> Regards.
>>
>> --------------------------------------------------
>> From: “Maxim S. Shatskih”
>> Sent: Sunday, January 18, 2009 6:27 PM
>> Newsgroups: ntdev
>> To: “Windows System Software Devs Interest List”
>> Subject: Re:[ntdev] Change boot driver process.
>>
>>>> This application is for to delete some files used by a trojan, with
>>>> most
>>>> popular AV don?t detect here and also don?t delete the main files.
>>>> The problem is:
>>>> This trojan install a .sys(Image sys Driver) with protects, all files
>>>> used
>>>> by trojan to be deleted in boot process.
>>>
>>> The tool to delete this trojan should be runned off a separately booted
>>> recovery WinPE CD.
>>>
>>> –
>>> Maxim S. Shatskih
>>> Windows DDK MVP
>>> xxxxx@storagecraft.com
>>> http://www.storagecraft.com
>>>
>>>
>>> —
>>> NTDEV is sponsored by OSR
>>>
>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>> http://www.osr.com/seminars
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>>
>>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

OSR_Community_User · January 18, 2009, 4:07pm

I appreciate your response, and we like to develop the application to do is,
I don´t beliave is impossible, because if they can do, why we can´t do more
better?

Thanks for Your reply.

From: “David R. Cattley”
Sent: Sunday, January 18, 2009 6:58 PM
To: “Windows System Software Devs Interest List”
Subject: RE: Re:[ntdev] Re:Change boot driver process.

> Well, the system image you want to boot to clean the problem is
> compromised.
> How do you know that the root-kit writers have not already found and
> considered every hack to ensure that they load first and that no matter
> what
> you come up with you are not already out-smarted by them.
>
> Booting to a ‘read-only’ (locked) OS image that cannot be compromised by
> the
> root-kit which can then remove it from the target boot environment is
> about
> the only certain way you can clean something like this up and be sure you
> have done so.
>
> You can hope and wish and work as hard as you want. The bad-guys always
> are
> a step ahead. Anything you can come up with they have already got an
> answer
> for or will very quickly when you put your ‘solution’ into the field.
>
>

>
> … and both are often wasted in large quantities when it comes to
> software.
> I mean really, are your 2500 systems currently shutdown to prevent further
> damage? Is this a ‘business stoppage’ issue? That surely can cost way
> more than getting enough people to walk a boot cdrom around to all of the
> systems and clean up the mess - even if you have to hire temporary help.
> You can probably clean 10 systems / hour / person. What does that cost
> vs.
> what you are trying to do?
>
>

>
> Waste of time. It can never keep ahead of the malware. If you have
> 2500
> infected systems you have a serious problem in procedure and deployment.
> You need to solve that problem and keep the malware out.
>
> “Keep your finger away from the saw-blade instead of perfecting surgical
> re-attachment of fingers.”
>
> Maybe you can deploy a WINPE image that can clean-up the situation
> automatically to these systems. It is unlikely that the root-kit has the
> chops to modify a .WIM image (but hey, maybe! - that will be next.)
>
> Good Luck,
> -Dave
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Samir Sousa
> Sent: Sunday, January 18, 2009 3:42 PM
> To: Windows System Software Devs Interest List
> Subject: Re: Re:[ntdev] Re:Change boot driver process.
>
> Yes I was. But until this moment we do not have response from they. So
> time
> is money, because this we try to build a solution.
>
> --------------------------------------------------
> From: “Maxim S. Shatskih”
> Sent: Sunday, January 18, 2009 6:32 PM
> Newsgroups: ntdev
> To: “Windows System Software Devs Interest List”
> Subject: Re:[ntdev] Re:Change boot driver process.
>
>> Have you sent it to the virus analysts like Kaspersky?
>>
>> –
>> Maxim S. Shatskih
>> Windows DDK MVP
>> xxxxx@storagecraft.com
>> http://www.storagecraft.com
>>
>> “Samir Sousa” wrote in message
>> news:xxxxx@ntdev…
>>> The problem is do it in 2500 computers, and also a problem if the trojan
>>> reinstall in OS, because this, we try to build a solution to do this
>>> allways
>>> when windows starts. We have Sations in other countrys, I think the best
>>> solution to us is develop a solution.
>>>
>>> Regards.
>>>
>>> --------------------------------------------------
>>> From: “Maxim S. Shatskih”
>>> Sent: Sunday, January 18, 2009 6:27 PM
>>> Newsgroups: ntdev
>>> To: “Windows System Software Devs Interest List”
>>> Subject: Re:[ntdev] Change boot driver process.
>>>
>>>>> This application is for to delete some files used by a trojan, with
>>>>> most
>>>>> popular AV don´t detect here and also don´t delete the main files.
>>>>> The problem is:
>>>>> This trojan install a .sys(Image sys Driver) with protects, all files
>>>>> used
>>>>> by trojan to be deleted in boot process.
>>>>
>>>> The tool to delete this trojan should be runned off a separately booted
>>>> recovery WinPE CD.
>>>>
>>>> –
>>>> Maxim S. Shatskih
>>>> Windows DDK MVP
>>>> xxxxx@storagecraft.com
>>>> http://www.storagecraft.com
>>>>
>>>>
>>>> —
>>>> NTDEV is sponsored by OSR
>>>>
>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>> http://www.osr.com/seminars
>>>>
>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>
>>>
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

Don_Burn_1 · January 18, 2009, 4:14pm

There is an old principle of war, that you cannot win by reacting to the
opponent, at most you can do is have a long bloody conflict. Unfortunately
the fight on MALWARE is just that type of situation. The only long term
solution will be something that involves laws and actions to enforce those
laws that make it undesirable enough that most people will not dare to try.

–
Don Burn (MVP, Windows DDK)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply

“Samir Sousa” wrote in message news:xxxxx@ntdev…
>I appreciate your response, and we like to develop the application to do
>is, I don´t beliave is impossible, because if they can do, why we can´t do
>more better?
>
> Thanks for Your reply.
>

David_R_Cattley · January 18, 2009, 4:14pm

Spoken like a true “Computer Scientist” (and no disrespect meant) and not
someone whose “Time & Money” (and ass) is on the line to get this fixed by
start of business on Monday.

Well, Good Luck!
-dave

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Samir Sousa
Sent: Sunday, January 18, 2009 4:07 PM
To: Windows System Software Devs Interest List
Subject: Re: Re:[ntdev] Re:Change boot driver process.

I appreciate your response, and we like to develop the application to do is,

I don?t beliave is impossible, because if they can do, why we can?t do more
better?

Thanks for Your reply.

From: “David R. Cattley”
Sent: Sunday, January 18, 2009 6:58 PM
To: “Windows System Software Devs Interest List”
Subject: RE: Re:[ntdev] Re:Change boot driver process.

> Well, the system image you want to boot to clean the problem is
> compromised.
> How do you know that the root-kit writers have not already found and
> considered every hack to ensure that they load first and that no matter
> what
> you come up with you are not already out-smarted by them.
>
> Booting to a ‘read-only’ (locked) OS image that cannot be compromised by
> the
> root-kit which can then remove it from the target boot environment is
> about
> the only certain way you can clean something like this up and be sure you
> have done so.
>
> You can hope and wish and work as hard as you want. The bad-guys always
> are
> a step ahead. Anything you can come up with they have already got an
> answer
> for or will very quickly when you put your ‘solution’ into the field.
>
>

>
> … and both are often wasted in large quantities when it comes to
> software.
> I mean really, are your 2500 systems currently shutdown to prevent further
> damage? Is this a ‘business stoppage’ issue? That surely can cost way
> more than getting enough people to walk a boot cdrom around to all of the
> systems and clean up the mess - even if you have to hire temporary help.
> You can probably clean 10 systems / hour / person. What does that cost
> vs.
> what you are trying to do?
>
>

>
> Waste of time. It can never keep ahead of the malware. If you have
> 2500
> infected systems you have a serious problem in procedure and deployment.
> You need to solve that problem and keep the malware out.
>
> “Keep your finger away from the saw-blade instead of perfecting surgical
> re-attachment of fingers.”
>
> Maybe you can deploy a WINPE image that can clean-up the situation
> automatically to these systems. It is unlikely that the root-kit has the
> chops to modify a .WIM image (but hey, maybe! - that will be next.)
>
> Good Luck,
> -Dave
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Samir Sousa
> Sent: Sunday, January 18, 2009 3:42 PM
> To: Windows System Software Devs Interest List
> Subject: Re: Re:[ntdev] Re:Change boot driver process.
>
> Yes I was. But until this moment we do not have response from they. So
> time
> is money, because this we try to build a solution.
>
> --------------------------------------------------
> From: “Maxim S. Shatskih”
> Sent: Sunday, January 18, 2009 6:32 PM
> Newsgroups: ntdev
> To: “Windows System Software Devs Interest List”
> Subject: Re:[ntdev] Re:Change boot driver process.
>
>> Have you sent it to the virus analysts like Kaspersky?
>>
>> –
>> Maxim S. Shatskih
>> Windows DDK MVP
>> xxxxx@storagecraft.com
>> http://www.storagecraft.com
>>
>> “Samir Sousa” wrote in message
>> news:xxxxx@ntdev…
>>> The problem is do it in 2500 computers, and also a problem if the trojan
>>> reinstall in OS, because this, we try to build a solution to do this
>>> allways
>>> when windows starts. We have Sations in other countrys, I think the best
>>> solution to us is develop a solution.
>>>
>>> Regards.
>>>
>>> --------------------------------------------------
>>> From: “Maxim S. Shatskih”
>>> Sent: Sunday, January 18, 2009 6:27 PM
>>> Newsgroups: ntdev
>>> To: “Windows System Software Devs Interest List”
>>> Subject: Re:[ntdev] Change boot driver process.
>>>
>>>>> This application is for to delete some files used by a trojan, with
>>>>> most
>>>>> popular AV don?t detect here and also don?t delete the main files.
>>>>> The problem is:
>>>>> This trojan install a .sys(Image sys Driver) with protects, all files
>>>>> used
>>>>> by trojan to be deleted in boot process.
>>>>
>>>> The tool to delete this trojan should be runned off a separately booted
>>>> recovery WinPE CD.
>>>>
>>>> –
>>>> Maxim S. Shatskih
>>>> Windows DDK MVP
>>>> xxxxx@storagecraft.com
>>>> http://www.storagecraft.com
>>>>
>>>>
>>>> —
>>>> NTDEV is sponsored by OSR
>>>>
>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>> http://www.osr.com/seminars
>>>>
>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>
>>>
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

OSR_Community_User · January 18, 2009, 4:21pm

Sorry for the comment I was use “Time is Money”.

From: “David R. Cattley”
Sent: Sunday, January 18, 2009 7:14 PM
To: “Windows System Software Devs Interest List”
Subject: RE: Re:[ntdev] Re:Change boot driver process.

> Spoken like a true “Computer Scientist” (and no disrespect meant) and not
> someone whose “Time & Money” (and ass) is on the line to get this fixed by
> start of business on Monday.
>
> Well, Good Luck!
> -dave
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Samir Sousa
> Sent: Sunday, January 18, 2009 4:07 PM
> To: Windows System Software Devs Interest List
> Subject: Re: Re:[ntdev] Re:Change boot driver process.
>
> I appreciate your response, and we like to develop the application to do
> is,
>
> I don´t beliave is impossible, because if they can do, why we can´t do
> more
> better?
>
> Thanks for Your reply.
>
> --------------------------------------------------
> From: “David R. Cattley”
> Sent: Sunday, January 18, 2009 6:58 PM
> To: “Windows System Software Devs Interest List”
> Subject: RE: Re:[ntdev] Re:Change boot driver process.
>
>> Well, the system image you want to boot to clean the problem is
>> compromised.
>> How do you know that the root-kit writers have not already found and
>> considered every hack to ensure that they load first and that no matter
>> what
>> you come up with you are not already out-smarted by them.
>>
>> Booting to a ‘read-only’ (locked) OS image that cannot be compromised by
>> the
>> root-kit which can then remove it from the target boot environment is
>> about
>> the only certain way you can clean something like this up and be sure you
>> have done so.
>>
>> You can hope and wish and work as hard as you want. The bad-guys always
>> are
>> a step ahead. Anything you can come up with they have already got an
>> answer
>> for or will very quickly when you put your ‘solution’ into the field.
>>
>>

>>
>> … and both are often wasted in large quantities when it comes to
>> software.
>> I mean really, are your 2500 systems currently shutdown to prevent
>> further
>> damage? Is this a ‘business stoppage’ issue? That surely can cost way
>> more than getting enough people to walk a boot cdrom around to all of
>> the
>> systems and clean up the mess - even if you have to hire temporary help.
>> You can probably clean 10 systems / hour / person. What does that cost
>> vs.
>> what you are trying to do?
>>
>>

>>
>> Waste of time. It can never keep ahead of the malware. If you have
>> 2500
>> infected systems you have a serious problem in procedure and deployment.
>> You need to solve that problem and keep the malware out.
>>
>> “Keep your finger away from the saw-blade instead of perfecting surgical
>> re-attachment of fingers.”
>>
>> Maybe you can deploy a WINPE image that can clean-up the situation
>> automatically to these systems. It is unlikely that the root-kit has the
>> chops to modify a .WIM image (but hey, maybe! - that will be next.)
>>
>> Good Luck,
>> -Dave
>>
>>
>> -----Original Message-----
>> From: xxxxx@lists.osr.com
>> [mailto:xxxxx@lists.osr.com] On Behalf Of Samir Sousa
>> Sent: Sunday, January 18, 2009 3:42 PM
>> To: Windows System Software Devs Interest List
>> Subject: Re: Re:[ntdev] Re:Change boot driver process.
>>
>> Yes I was. But until this moment we do not have response from they. So
>> time
>> is money, because this we try to build a solution.
>>
>> --------------------------------------------------
>> From: “Maxim S. Shatskih”
>> Sent: Sunday, January 18, 2009 6:32 PM
>> Newsgroups: ntdev
>> To: “Windows System Software Devs Interest List”
>> Subject: Re:[ntdev] Re:Change boot driver process.
>>
>>> Have you sent it to the virus analysts like Kaspersky?
>>>
>>> –
>>> Maxim S. Shatskih
>>> Windows DDK MVP
>>> xxxxx@storagecraft.com
>>> http://www.storagecraft.com
>>>
>>> “Samir Sousa” wrote in message
>>> news:xxxxx@ntdev…
>>>> The problem is do it in 2500 computers, and also a problem if the
>>>> trojan
>>>> reinstall in OS, because this, we try to build a solution to do this
>>>> allways
>>>> when windows starts. We have Sations in other countrys, I think the
>>>> best
>>>> solution to us is develop a solution.
>>>>
>>>> Regards.
>>>>
>>>> --------------------------------------------------
>>>> From: “Maxim S. Shatskih”
>>>> Sent: Sunday, January 18, 2009 6:27 PM
>>>> Newsgroups: ntdev
>>>> To: “Windows System Software Devs Interest List”
>>>> Subject: Re:[ntdev] Change boot driver process.
>>>>
>>>>>> This application is for to delete some files used by a trojan, with
>>>>>> most
>>>>>> popular AV don´t detect here and also don´t delete the main files.
>>>>>> The problem is:
>>>>>> This trojan install a .sys(Image sys Driver) with protects, all files
>>>>>> used
>>>>>> by trojan to be deleted in boot process.
>>>>>
>>>>> The tool to delete this trojan should be runned off a separately
>>>>> booted
>>>>> recovery WinPE CD.
>>>>>
>>>>> –
>>>>> Maxim S. Shatskih
>>>>> Windows DDK MVP
>>>>> xxxxx@storagecraft.com
>>>>> http://www.storagecraft.com
>>>>>
>>>>>
>>>>> —
>>>>> NTDEV is sponsored by OSR
>>>>>
>>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>>> http://www.osr.com/seminars
>>>>>
>>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>>
>>>>
>>>
>>> —
>>> NTDEV is sponsored by OSR
>>>
>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>> http://www.osr.com/seminars
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>>
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

OSR_Community_User · January 18, 2009, 4:36pm

You’re never going to get the right answer because you’re asking the
wrong question. ‘Impossible’ has nothing to do with it. The only
question that matters is can you do it profitably. I think that’s one
of the things that David was saying.

That aside, there aren’t many things that have a usual formal answer,
but this one does - it’s impossible to say whether this can be done.
There are several Halting problems at play here, with the most tired one
being the chicken and egg nature of it all - you have to get there first
(which you can’t really control, and definitely can’t attest to), and
make sure that you don’t get replaced (which you have no control over,
and any questions about attestation are undefined), and not cause
problems with your actions (which is impossible to predict), and the
most important one and the one that is totally impossible to predict
unless you happen to be a mind reader is that you have to be be doing
what your user’s want.

In order to do better, you also have to know more, which, nothing
personal, given what you’re asking about, you don’t appear to.

One of the primary reasons for the development of secure computing
environments like Intel TXT and AMD SVM is that what you’re trying to do
can’t be done. I’ve done a lot of work with these technologies, and
even under them, what gets overlooked almost uniformly is that for any
of it work, you have to implement the software correctly, whici is also
impossible. That being said, if you don’t believe us - which is totally
fair - their existence really about to be cogent evidence that the
software only approach has problems.

There are situations where schemes like this are profitable, because
they have special need, and this the best that can be done, but they are
rare, everyone goes in to the problem with that understanding in mind,
as well as one of the costs, and cardinally there is nothing ‘generic’
about them. That’s really the thing that makes it a waste of time and
what makes proceeding a waste of money and a guaranteed disaster -
operating under the totally absurd idea that you can specify everything
that may come up and address it all, let alone without causing problems.

mm

Samir Sousa wrote:

I appreciate your response, and we like to develop the application to do
is, I don´t beliave is impossible, because if they can do, why we can´t
do more better?

Thanks for Your reply.

From: “David R. Cattley”
> Sent: Sunday, January 18, 2009 6:58 PM
> To: “Windows System Software Devs Interest List”
> Subject: RE: Re:[ntdev] Re:Change boot driver process.
>
>> Well, the system image you want to boot to clean the problem is
>> compromised.
>> How do you know that the root-kit writers have not already found and
>> considered every hack to ensure that they load first and that no
>> matter what
>> you come up with you are not already out-smarted by them.
>>
>> Booting to a ‘read-only’ (locked) OS image that cannot be compromised
>> by the
>> root-kit which can then remove it from the target boot environment is
>> about
>> the only certain way you can clean something like this up and be sure you
>> have done so.
>>
>> You can hope and wish and work as hard as you want. The bad-guys
>> always are
>> a step ahead. Anything you can come up with they have already got an
>> answer
>> for or will very quickly when you put your ‘solution’ into the field.
>>
>>

>>
>> … and both are often wasted in large quantities when it comes to
>> software.
>> I mean really, are your 2500 systems currently shutdown to prevent
>> further
>> damage? Is this a ‘business stoppage’ issue? That surely can cost way
>> more than getting enough people to walk a boot cdrom around to all of
>> the
>> systems and clean up the mess - even if you have to hire temporary help.
>> You can probably clean 10 systems / hour / person. What does that
>> cost vs.
>> what you are trying to do?
>>
>>

>>
>> Waste of time. It can never keep ahead of the malware. If you have
>> 2500
>> infected systems you have a serious problem in procedure and deployment.
>> You need to solve that problem and keep the malware out.
>>
>> “Keep your finger away from the saw-blade instead of perfecting surgical
>> re-attachment of fingers.”
>>
>> Maybe you can deploy a WINPE image that can clean-up the situation
>> automatically to these systems. It is unlikely that the root-kit has the
>> chops to modify a .WIM image (but hey, maybe! - that will be next.)
>>
>> Good Luck,
>> -Dave
>>
>>
>> -----Original Message-----
>> From: xxxxx@lists.osr.com
>> [mailto:xxxxx@lists.osr.com] On Behalf Of Samir Sousa
>> Sent: Sunday, January 18, 2009 3:42 PM
>> To: Windows System Software Devs Interest List
>> Subject: Re: Re:[ntdev] Re:Change boot driver process.
>>
>> Yes I was. But until this moment we do not have response from they. So
>> time
>> is money, because this we try to build a solution.
>>
>> --------------------------------------------------
>> From: “Maxim S. Shatskih”
>> Sent: Sunday, January 18, 2009 6:32 PM
>> Newsgroups: ntdev
>> To: “Windows System Software Devs Interest List”
>> Subject: Re:[ntdev] Re:Change boot driver process.
>>
>>> Have you sent it to the virus analysts like Kaspersky?
>>>
>>> –
>>> Maxim S. Shatskih
>>> Windows DDK MVP
>>> xxxxx@storagecraft.com
>>> http://www.storagecraft.com
>>>
>>> “Samir Sousa” wrote in message
>>> news:xxxxx@ntdev…
>>>> The problem is do it in 2500 computers, and also a problem if the
>>>> trojan
>>>> reinstall in OS, because this, we try to build a solution to do this
>>>> allways
>>>> when windows starts. We have Sations in other countrys, I think the
>>>> best
>>>> solution to us is develop a solution.
>>>>
>>>> Regards.
>>>>
>>>> --------------------------------------------------
>>>> From: “Maxim S. Shatskih”
>>>> Sent: Sunday, January 18, 2009 6:27 PM
>>>> Newsgroups: ntdev
>>>> To: “Windows System Software Devs Interest List”
>>>> Subject: Re:[ntdev] Change boot driver process.
>>>>
>>>>>> This application is for to delete some files used by a trojan, with
>>>>>> most
>>>>>> popular AV don´t detect here and also don´t delete the main files.
>>>>>> The problem is:
>>>>>> This trojan install a .sys(Image sys Driver) with protects, all files
>>>>>> used
>>>>>> by trojan to be deleted in boot process.
>>>>>
>>>>> The tool to delete this trojan should be runned off a separately
>>>>> booted
>>>>> recovery WinPE CD.
>>>>>
>>>>> –
>>>>> Maxim S. Shatskih
>>>>> Windows DDK MVP
>>>>> xxxxx@storagecraft.com
>>>>> http://www.storagecraft.com
>>>>>
>>>>>
>>>>> —
>>>>> NTDEV is sponsored by OSR
>>>>>
>>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>>> http://www.osr.com/seminars
>>>>>
>>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>>
>>>>
>>>
>>> —
>>> NTDEV is sponsored by OSR
>>>
>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>> http://www.osr.com/seminars
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>>
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>

OSR_Community_User · January 18, 2009, 4:44pm

I forgot one thing - even the hardware assisted implementations have
problems.

Martin O’Brien wrote:

You’re never going to get the right answer because you’re asking the
wrong question. ‘Impossible’ has nothing to do with it. The only
question that matters is can you do it profitably. I think that’s one
of the things that David was saying.

That aside, there aren’t many things that have a usual formal answer,
but this one does - it’s impossible to say whether this can be done.
There are several Halting problems at play here, with the most tired one
being the chicken and egg nature of it all - you have to get there first
(which you can’t really control, and definitely can’t attest to), and
make sure that you don’t get replaced (which you have no control over,
and any questions about attestation are undefined), and not cause
problems with your actions (which is impossible to predict), and the
most important one and the one that is totally impossible to predict
unless you happen to be a mind reader is that you have to be be doing
what your user’s want.

In order to do better, you also have to know more, which, nothing
personal, given what you’re asking about, you don’t appear to.

One of the primary reasons for the development of secure computing
environments like Intel TXT and AMD SVM is that what you’re trying to do
can’t be done. I’ve done a lot of work with these technologies, and
even under them, what gets overlooked almost uniformly is that for any
of it work, you have to implement the software correctly, whici is also
impossible. That being said, if you don’t believe us - which is totally
fair - their existence really about to be cogent evidence that the
software only approach has problems.

There are situations where schemes like this are profitable, because
they have special need, and this the best that can be done, but they are
rare, everyone goes in to the problem with that understanding in mind,
as well as one of the costs, and cardinally there is nothing ‘generic’
about them. That’s really the thing that makes it a waste of time and
what makes proceeding a waste of money and a guaranteed disaster -
operating under the totally absurd idea that you can specify everything
that may come up and address it all, let alone without causing problems.

mm

Samir Sousa wrote:
> I appreciate your response, and we like to develop the application to
> do is, I don´t beliave is impossible, because if they can do, why we
> can´t do more better?
>
> Thanks for Your reply.
>
> --------------------------------------------------
> From: “David R. Cattley”
>> Sent: Sunday, January 18, 2009 6:58 PM
>> To: “Windows System Software Devs Interest List”
>> Subject: RE: Re:[ntdev] Re:Change boot driver process.
>>
>>> Well, the system image you want to boot to clean the problem is
>>> compromised.
>>> How do you know that the root-kit writers have not already found and
>>> considered every hack to ensure that they load first and that no
>>> matter what
>>> you come up with you are not already out-smarted by them.
>>>
>>> Booting to a ‘read-only’ (locked) OS image that cannot be compromised
>>> by the
>>> root-kit which can then remove it from the target boot environment is
>>> about
>>> the only certain way you can clean something like this up and be sure
>>> you
>>> have done so.
>>>
>>> You can hope and wish and work as hard as you want. The bad-guys
>>> always are
>>> a step ahead. Anything you can come up with they have already got an
>>> answer
>>> for or will very quickly when you put your ‘solution’ into the field.
>>>
>>>

>>>
>>> … and both are often wasted in large quantities when it comes to
>>> software.
>>> I mean really, are your 2500 systems currently shutdown to prevent
>>> further
>>> damage? Is this a ‘business stoppage’ issue? That surely can cost way
>>> more than getting enough people to walk a boot cdrom around to all
>>> of the
>>> systems and clean up the mess - even if you have to hire temporary help.
>>> You can probably clean 10 systems / hour / person. What does that
>>> cost vs.
>>> what you are trying to do?
>>>
>>>

>>>
>>> Waste of time. It can never keep ahead of the malware. If you
>>> have 2500
>>> infected systems you have a serious problem in procedure and deployment.
>>> You need to solve that problem and keep the malware out.
>>>
>>> “Keep your finger away from the saw-blade instead of perfecting surgical
>>> re-attachment of fingers.”
>>>
>>> Maybe you can deploy a WINPE image that can clean-up the situation
>>> automatically to these systems. It is unlikely that the root-kit has
>>> the
>>> chops to modify a .WIM image (but hey, maybe! - that will be next.)
>>>
>>> Good Luck,
>>> -Dave
>>>
>>>
>>> -----Original Message-----
>>> From: xxxxx@lists.osr.com
>>> [mailto:xxxxx@lists.osr.com] On Behalf Of Samir Sousa
>>> Sent: Sunday, January 18, 2009 3:42 PM
>>> To: Windows System Software Devs Interest List
>>> Subject: Re: Re:[ntdev] Re:Change boot driver process.
>>>
>>> Yes I was. But until this moment we do not have response from they.
>>> So time
>>> is money, because this we try to build a solution.
>>>
>>> --------------------------------------------------
>>> From: “Maxim S. Shatskih”
>>> Sent: Sunday, January 18, 2009 6:32 PM
>>> Newsgroups: ntdev
>>> To: “Windows System Software Devs Interest List”
>>> Subject: Re:[ntdev] Re:Change boot driver process.
>>>
>>>> Have you sent it to the virus analysts like Kaspersky?
>>>>
>>>> –
>>>> Maxim S. Shatskih
>>>> Windows DDK MVP
>>>> xxxxx@storagecraft.com
>>>> http://www.storagecraft.com
>>>>
>>>> “Samir Sousa” wrote in message
>>>> news:xxxxx@ntdev…
>>>>> The problem is do it in 2500 computers, and also a problem if the
>>>>> trojan
>>>>> reinstall in OS, because this, we try to build a solution to do this
>>>>> allways
>>>>> when windows starts. We have Sations in other countrys, I think the
>>>>> best
>>>>> solution to us is develop a solution.
>>>>>
>>>>> Regards.
>>>>>
>>>>> --------------------------------------------------
>>>>> From: “Maxim S. Shatskih”
>>>>> Sent: Sunday, January 18, 2009 6:27 PM
>>>>> Newsgroups: ntdev
>>>>> To: “Windows System Software Devs Interest List”
>>>>> Subject: Re:[ntdev] Change boot driver process.
>>>>>
>>>>>>> This application is for to delete some files used by a trojan, with
>>>>>>> most
>>>>>>> popular AV don´t detect here and also don´t delete the main files.
>>>>>>> The problem is:
>>>>>>> This trojan install a .sys(Image sys Driver) with protects, all
>>>>>>> files
>>>>>>> used
>>>>>>> by trojan to be deleted in boot process.
>>>>>>
>>>>>> The tool to delete this trojan should be runned off a separately
>>>>>> booted
>>>>>> recovery WinPE CD.
>>>>>>
>>>>>> –
>>>>>> Maxim S. Shatskih
>>>>>> Windows DDK MVP
>>>>>> xxxxx@storagecraft.com
>>>>>> http://www.storagecraft.com
>>>>>>
>>>>>>
>>>>>> —
>>>>>> NTDEV is sponsored by OSR
>>>>>>
>>>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>>>> http://www.osr.com/seminars
>>>>>>
>>>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>>>
>>>>>
>>>>
>>>> —
>>>> NTDEV is sponsored by OSR
>>>>
>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>> http://www.osr.com/seminars
>>>>
>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>
>>>
>>> —
>>> NTDEV is sponsored by OSR
>>>
>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>> http://www.osr.com/seminars
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>>
>>>
>>> —
>>> NTDEV is sponsored by OSR
>>>
>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>> http://www.osr.com/seminars
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>>
>>
>

OSR_Community_User · January 18, 2009, 4:47pm

I just like, if is possible, how I do to remove the restrictions for the
driver, maybe I need put my driver to load before the Trojan? If yes, how
can I do it! or maybe I can close the trojan´s driver or another thing, and
then I not see (STATUS_SHARING_VIOLATION) and then I can delete these files,
if Yes, how can I do this, I only asking about this from begin to my post,
to get help in this.

Regards.

From: “Samir Sousa”
Sent: Sunday, January 18, 2009 7:20 PM
To: “Windows System Software Devs Interest List”
Subject: Re: Re:[ntdev] Re:Change boot driver process.

> Sorry for the comment I was use “Time is Money”.
>
>
> --------------------------------------------------
> From: “David R. Cattley”
> Sent: Sunday, January 18, 2009 7:14 PM
> To: “Windows System Software Devs Interest List”
> Subject: RE: Re:[ntdev] Re:Change boot driver process.
>
>> Spoken like a true “Computer Scientist” (and no disrespect meant) and not
>> someone whose “Time & Money” (and ass) is on the line to get this fixed
>> by
>> start of business on Monday.
>>
>> Well, Good Luck!
>> -dave
>>
>> -----Original Message-----
>> From: xxxxx@lists.osr.com
>> [mailto:xxxxx@lists.osr.com] On Behalf Of Samir Sousa
>> Sent: Sunday, January 18, 2009 4:07 PM
>> To: Windows System Software Devs Interest List
>> Subject: Re: Re:[ntdev] Re:Change boot driver process.
>>
>> I appreciate your response, and we like to develop the application to do
>> is,
>>
>> I don´t beliave is impossible, because if they can do, why we can´t do
>> more
>> better?
>>
>> Thanks for Your reply.
>>
>> --------------------------------------------------
>> From: “David R. Cattley”
>> Sent: Sunday, January 18, 2009 6:58 PM
>> To: “Windows System Software Devs Interest List”
>> Subject: RE: Re:[ntdev] Re:Change boot driver process.
>>
>>> Well, the system image you want to boot to clean the problem is
>>> compromised.
>>> How do you know that the root-kit writers have not already found and
>>> considered every hack to ensure that they load first and that no matter
>>> what
>>> you come up with you are not already out-smarted by them.
>>>
>>> Booting to a ‘read-only’ (locked) OS image that cannot be compromised by
>>> the
>>> root-kit which can then remove it from the target boot environment is
>>> about
>>> the only certain way you can clean something like this up and be sure
>>> you
>>> have done so.
>>>
>>> You can hope and wish and work as hard as you want. The bad-guys always
>>> are
>>> a step ahead. Anything you can come up with they have already got an
>>> answer
>>> for or will very quickly when you put your ‘solution’ into the field.
>>>
>>>

>>>
>>> … and both are often wasted in large quantities when it comes to
>>> software.
>>> I mean really, are your 2500 systems currently shutdown to prevent
>>> further
>>> damage? Is this a ‘business stoppage’ issue? That surely can cost way
>>> more than getting enough people to walk a boot cdrom around to all of
>>> the
>>> systems and clean up the mess - even if you have to hire temporary help.
>>> You can probably clean 10 systems / hour / person. What does that cost
>>> vs.
>>> what you are trying to do?
>>>
>>>

>>>
>>> Waste of time. It can never keep ahead of the malware. If you have
>>> 2500
>>> infected systems you have a serious problem in procedure and deployment.
>>> You need to solve that problem and keep the malware out.
>>>
>>> “Keep your finger away from the saw-blade instead of perfecting surgical
>>> re-attachment of fingers.”
>>>
>>> Maybe you can deploy a WINPE image that can clean-up the situation
>>> automatically to these systems. It is unlikely that the root-kit has
>>> the
>>> chops to modify a .WIM image (but hey, maybe! - that will be next.)
>>>
>>> Good Luck,
>>> -Dave
>>>
>>>
>>> -----Original Message-----
>>> From: xxxxx@lists.osr.com
>>> [mailto:xxxxx@lists.osr.com] On Behalf Of Samir Sousa
>>> Sent: Sunday, January 18, 2009 3:42 PM
>>> To: Windows System Software Devs Interest List
>>> Subject: Re: Re:[ntdev] Re:Change boot driver process.
>>>
>>> Yes I was. But until this moment we do not have response from they. So
>>> time
>>> is money, because this we try to build a solution.
>>>
>>> --------------------------------------------------
>>> From: “Maxim S. Shatskih”
>>> Sent: Sunday, January 18, 2009 6:32 PM
>>> Newsgroups: ntdev
>>> To: “Windows System Software Devs Interest List”
>>> Subject: Re:[ntdev] Re:Change boot driver process.
>>>
>>>> Have you sent it to the virus analysts like Kaspersky?
>>>>
>>>> –
>>>> Maxim S. Shatskih
>>>> Windows DDK MVP
>>>> xxxxx@storagecraft.com
>>>> http://www.storagecraft.com
>>>>
>>>> “Samir Sousa” wrote in message
>>>> news:xxxxx@ntdev…
>>>>> The problem is do it in 2500 computers, and also a problem if the
>>>>> trojan
>>>>> reinstall in OS, because this, we try to build a solution to do this
>>>>> allways
>>>>> when windows starts. We have Sations in other countrys, I think the
>>>>> best
>>>>> solution to us is develop a solution.
>>>>>
>>>>> Regards.
>>>>>
>>>>> --------------------------------------------------
>>>>> From: “Maxim S. Shatskih”
>>>>> Sent: Sunday, January 18, 2009 6:27 PM
>>>>> Newsgroups: ntdev
>>>>> To: “Windows System Software Devs Interest List”
>>>>> Subject: Re:[ntdev] Change boot driver process.
>>>>>
>>>>>>> This application is for to delete some files used by a trojan, with
>>>>>>> most
>>>>>>> popular AV don´t detect here and also don´t delete the main files.
>>>>>>> The problem is:
>>>>>>> This trojan install a .sys(Image sys Driver) with protects, all
>>>>>>> files
>>>>>>> used
>>>>>>> by trojan to be deleted in boot process.
>>>>>>
>>>>>> The tool to delete this trojan should be runned off a separately
>>>>>> booted
>>>>>> recovery WinPE CD.
>>>>>>
>>>>>> –
>>>>>> Maxim S. Shatskih
>>>>>> Windows DDK MVP
>>>>>> xxxxx@storagecraft.com
>>>>>> http://www.storagecraft.com
>>>>>>
>>>>>>
>>>>>> —
>>>>>> NTDEV is sponsored by OSR
>>>>>>
>>>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>>>> http://www.osr.com/seminars
>>>>>>
>>>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>>>
>>>>>
>>>>
>>>> —
>>>> NTDEV is sponsored by OSR
>>>>
>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>> http://www.osr.com/seminars
>>>>
>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>
>>>
>>> —
>>> NTDEV is sponsored by OSR
>>>
>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>> http://www.osr.com/seminars
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>>
>>>
>>> —
>>> NTDEV is sponsored by OSR
>>>
>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>> http://www.osr.com/seminars
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>>
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

Don_Burn_1 · January 18, 2009, 4:56pm

And what do you do if the trojan infects the boot loader, the HAL/kernel or
the virtual machine layer? Sorry this is a case of continual catch up,
once you are infected you are basically hosed.

–
Don Burn (MVP, Windows DDK)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

“Samir Sousa” wrote in message news:xxxxx@ntdev…
>I just like, if is possible, how I do to remove the restrictions for the
>driver, maybe I need put my driver to load before the Trojan? If yes, how
>can I do it! or maybe I can close the trojan´s driver or another thing, and
>then I not see (STATUS_SHARING_VIOLATION) and then I can delete these
>files, if Yes, how can I do this, I only asking about this from begin to my
>post, to get help in this.
>
> Regards.
>
> --------------------------------------------------
> From: “Samir Sousa”
> Sent: Sunday, January 18, 2009 7:20 PM
> To: “Windows System Software Devs Interest List”
> Subject: Re: Re:[ntdev] Re:Change boot driver process.
>
>> Sorry for the comment I was use “Time is Money”.
>>
>>
>> --------------------------------------------------
>> From: “David R. Cattley”
>> Sent: Sunday, January 18, 2009 7:14 PM
>> To: “Windows System Software Devs Interest List”
>> Subject: RE: Re:[ntdev] Re:Change boot driver process.
>>
>>> Spoken like a true “Computer Scientist” (and no disrespect meant) and
>>> not
>>> someone whose “Time & Money” (and ass) is on the line to get this fixed
>>> by
>>> start of business on Monday.
>>>
>>> Well, Good Luck!
>>> -dave
>>>
>>> -----Original Message-----
>>> From: xxxxx@lists.osr.com
>>> [mailto:xxxxx@lists.osr.com] On Behalf Of Samir Sousa
>>> Sent: Sunday, January 18, 2009 4:07 PM
>>> To: Windows System Software Devs Interest List
>>> Subject: Re: Re:[ntdev] Re:Change boot driver process.
>>>
>>> I appreciate your response, and we like to develop the application to do
>>> is,
>>>
>>> I don´t beliave is impossible, because if they can do, why we can´t do
>>> more
>>> better?
>>>
>>> Thanks for Your reply.
>>>
>>> --------------------------------------------------
>>> From: “David R. Cattley”
>>> Sent: Sunday, January 18, 2009 6:58 PM
>>> To: “Windows System Software Devs Interest List”
>>> Subject: RE: Re:[ntdev] Re:Change boot driver process.
>>>
>>>> Well, the system image you want to boot to clean the problem is
>>>> compromised.
>>>> How do you know that the root-kit writers have not already found and
>>>> considered every hack to ensure that they load first and that no matter
>>>> what
>>>> you come up with you are not already out-smarted by them.
>>>>
>>>> Booting to a ‘read-only’ (locked) OS image that cannot be compromised
>>>> by
>>>> the
>>>> root-kit which can then remove it from the target boot environment is
>>>> about
>>>> the only certain way you can clean something like this up and be sure
>>>> you
>>>> have done so.
>>>>
>>>> You can hope and wish and work as hard as you want. The bad-guys
>>>> always
>>>> are
>>>> a step ahead. Anything you can come up with they have already got an
>>>> answer
>>>> for or will very quickly when you put your ‘solution’ into the field.
>>>>
>>>>

>>>>
>>>> … and both are often wasted in large quantities when it comes to
>>>> software.
>>>> I mean really, are your 2500 systems currently shutdown to prevent
>>>> further
>>>> damage? Is this a ‘business stoppage’ issue? That surely can cost
>>>> way
>>>> more than getting enough people to walk a boot cdrom around to all of
>>>> the
>>>> systems and clean up the mess - even if you have to hire temporary
>>>> help.
>>>> You can probably clean 10 systems / hour / person. What does that
>>>> cost
>>>> vs.
>>>> what you are trying to do?
>>>>
>>>>

>>>>
>>>> Waste of time. It can never keep ahead of the malware. If you have
>>>> 2500
>>>> infected systems you have a serious problem in procedure and
>>>> deployment.
>>>> You need to solve that problem and keep the malware out.
>>>>
>>>> “Keep your finger away from the saw-blade instead of perfecting
>>>> surgical
>>>> re-attachment of fingers.”
>>>>
>>>> Maybe you can deploy a WINPE image that can clean-up the situation
>>>> automatically to these systems. It is unlikely that the root-kit has
>>>> the
>>>> chops to modify a .WIM image (but hey, maybe! - that will be next.)
>>>>
>>>> Good Luck,
>>>> -Dave
>>>>
>>>>
>>>> -----Original Message-----
>>>> From: xxxxx@lists.osr.com
>>>> [mailto:xxxxx@lists.osr.com] On Behalf Of Samir Sousa
>>>> Sent: Sunday, January 18, 2009 3:42 PM
>>>> To: Windows System Software Devs Interest List
>>>> Subject: Re: Re:[ntdev] Re:Change boot driver process.
>>>>
>>>> Yes I was. But until this moment we do not have response from they. So
>>>> time
>>>> is money, because this we try to build a solution.
>>>>
>>>> --------------------------------------------------
>>>> From: “Maxim S. Shatskih”
>>>> Sent: Sunday, January 18, 2009 6:32 PM
>>>> Newsgroups: ntdev
>>>> To: “Windows System Software Devs Interest List”
>>>> Subject: Re:[ntdev] Re:Change boot driver process.
>>>>
>>>>> Have you sent it to the virus analysts like Kaspersky?
>>>>>
>>>>> –
>>>>> Maxim S. Shatskih
>>>>> Windows DDK MVP
>>>>> xxxxx@storagecraft.com
>>>>> http://www.storagecraft.com
>>>>>
>>>>> “Samir Sousa” wrote in message
>>>>> news:xxxxx@ntdev…
>>>>>> The problem is do it in 2500 computers, and also a problem if the
>>>>>> trojan
>>>>>> reinstall in OS, because this, we try to build a solution to do this
>>>>>> allways
>>>>>> when windows starts. We have Sations in other countrys, I think the
>>>>>> best
>>>>>> solution to us is develop a solution.
>>>>>>
>>>>>> Regards.
>>>>>>
>>>>>> --------------------------------------------------
>>>>>> From: “Maxim S. Shatskih”
>>>>>> Sent: Sunday, January 18, 2009 6:27 PM
>>>>>> Newsgroups: ntdev
>>>>>> To: “Windows System Software Devs Interest List”
>>>>>>
>>>>>> Subject: Re:[ntdev] Change boot driver process.
>>>>>>
>>>>>>>> This application is for to delete some files used by a trojan, with
>>>>>>>> most
>>>>>>>> popular AV don´t detect here and also don´t delete the main files.
>>>>>>>> The problem is:
>>>>>>>> This trojan install a .sys(Image sys Driver) with protects, all
>>>>>>>> files
>>>>>>>> used
>>>>>>>> by trojan to be deleted in boot process.
>>>>>>>
>>>>>>> The tool to delete this trojan should be runned off a separately
>>>>>>> booted
>>>>>>> recovery WinPE CD.
>>>>>>>
>>>>>>> –
>>>>>>> Maxim S. Shatskih
>>>>>>> Windows DDK MVP
>>>>>>> xxxxx@storagecraft.com
>>>>>>> http://www.storagecraft.com
>>>>>>>
>>>>>>>
>>>>>>> —
>>>>>>> NTDEV is sponsored by OSR
>>>>>>>
>>>>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>>>>> http://www.osr.com/seminars
>>>>>>>
>>>>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>>>>
>>>>>>
>>>>>
>>>>> —
>>>>> NTDEV is sponsored by OSR
>>>>>
>>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>>> http://www.osr.com/seminars
>>>>>
>>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>>
>>>>
>>>> —
>>>> NTDEV is sponsored by OSR
>>>>
>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>> http://www.osr.com/seminars
>>>>
>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>
>>>>
>>>> —
>>>> NTDEV is sponsored by OSR
>>>>
>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>> http://www.osr.com/seminars
>>>>
>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>
>>>
>>> —
>>> NTDEV is sponsored by OSR
>>>
>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>> http://www.osr.com/seminars
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>>
>>>
>>> —
>>> NTDEV is sponsored by OSR
>>>
>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>> http://www.osr.com/seminars
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>>
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>

OSR_Community_User · January 18, 2009, 5:01pm

Samir:

Don just delivered the bottom line on this one - once you’re infected,
you’re basically hosed. That’s just how it is.

Rereading my post, I think I at least got kind of sidetracked in the
bigger picture, so I’m not sure if it was very helpful. If not, I’m
sorry about that, but the thing is that we get this flavor of question
here a lot, and there is just no getting around what Don just said -
reinstall. That’s all you can do.

mm

Don Burn wrote:

And what do you do if the trojan infects the boot loader, the HAL/kernel or
the virtual machine layer? Sorry this is a case of continual catch up,
once you are infected you are basically hosed.

OSR_Community_User · January 18, 2009, 5:01pm

when this is occur we will see what we can do better. But now, they only do
those thing hwi I was described above.

Regards.

From: “Don Burn”
Sent: Sunday, January 18, 2009 7:55 PM
Newsgroups: ntdev
To: “Windows System Software Devs Interest List”
Subject: Re:[ntdev] Re:Re:Change boot driver process.

> And what do you do if the trojan infects the boot loader, the HAL/kernel
> or the virtual machine layer? Sorry this is a case of continual catch
> up, once you are infected you are basically hosed.
>
>
> –
> Don Burn (MVP, Windows DDK)
> Windows Filesystem and Driver Consulting
> Website: http://www.windrvr.com
> Blog: http://msmvps.com/blogs/WinDrvr
>
>
>
> “Samir Sousa” wrote in message
> news:xxxxx@ntdev…
>>I just like, if is possible, how I do to remove the restrictions for the
>>driver, maybe I need put my driver to load before the Trojan? If yes, how
>>can I do it! or maybe I can close the trojan´s driver or another thing,
>>and then I not see (STATUS_SHARING_VIOLATION) and then I can delete these
>>files, if Yes, how can I do this, I only asking about this from begin to
>>my post, to get help in this.
>>
>> Regards.
>>
>> --------------------------------------------------
>> From: “Samir Sousa”
>> Sent: Sunday, January 18, 2009 7:20 PM
>> To: “Windows System Software Devs Interest List”
>> Subject: Re: Re:[ntdev] Re:Change boot driver process.
>>
>>> Sorry for the comment I was use “Time is Money”.
>>>
>>>
>>> --------------------------------------------------
>>> From: “David R. Cattley”
>>> Sent: Sunday, January 18, 2009 7:14 PM
>>> To: “Windows System Software Devs Interest List”
>>> Subject: RE: Re:[ntdev] Re:Change boot driver process.
>>>
>>>> Spoken like a true “Computer Scientist” (and no disrespect meant) and
>>>> not
>>>> someone whose “Time & Money” (and ass) is on the line to get this fixed
>>>> by
>>>> start of business on Monday.
>>>>
>>>> Well, Good Luck!
>>>> -dave
>>>>
>>>> -----Original Message-----
>>>> From: xxxxx@lists.osr.com
>>>> [mailto:xxxxx@lists.osr.com] On Behalf Of Samir Sousa
>>>> Sent: Sunday, January 18, 2009 4:07 PM
>>>> To: Windows System Software Devs Interest List
>>>> Subject: Re: Re:[ntdev] Re:Change boot driver process.
>>>>
>>>> I appreciate your response, and we like to develop the application to
>>>> do is,
>>>>
>>>> I don´t beliave is impossible, because if they can do, why we can´t do
>>>> more
>>>> better?
>>>>
>>>> Thanks for Your reply.
>>>>
>>>> --------------------------------------------------
>>>> From: “David R. Cattley”
>>>> Sent: Sunday, January 18, 2009 6:58 PM
>>>> To: “Windows System Software Devs Interest List”
>>>> Subject: RE: Re:[ntdev] Re:Change boot driver process.
>>>>
>>>>> Well, the system image you want to boot to clean the problem is
>>>>> compromised.
>>>>> How do you know that the root-kit writers have not already found and
>>>>> considered every hack to ensure that they load first and that no
>>>>> matter
>>>>> what
>>>>> you come up with you are not already out-smarted by them.
>>>>>
>>>>> Booting to a ‘read-only’ (locked) OS image that cannot be compromised
>>>>> by
>>>>> the
>>>>> root-kit which can then remove it from the target boot environment is
>>>>> about
>>>>> the only certain way you can clean something like this up and be sure
>>>>> you
>>>>> have done so.
>>>>>
>>>>> You can hope and wish and work as hard as you want. The bad-guys
>>>>> always
>>>>> are
>>>>> a step ahead. Anything you can come up with they have already got an
>>>>> answer
>>>>> for or will very quickly when you put your ‘solution’ into the field.
>>>>>
>>>>>

>>>>>
>>>>> … and both are often wasted in large quantities when it comes to
>>>>> software.
>>>>> I mean really, are your 2500 systems currently shutdown to prevent
>>>>> further
>>>>> damage? Is this a ‘business stoppage’ issue? That surely can cost
>>>>> way
>>>>> more than getting enough people to walk a boot cdrom around to all of
>>>>> the
>>>>> systems and clean up the mess - even if you have to hire temporary
>>>>> help.
>>>>> You can probably clean 10 systems / hour / person. What does that
>>>>> cost
>>>>> vs.
>>>>> what you are trying to do?
>>>>>
>>>>>

>>>>>
>>>>> Waste of time. It can never keep ahead of the malware. If you have
>>>>> 2500
>>>>> infected systems you have a serious problem in procedure and
>>>>> deployment.
>>>>> You need to solve that problem and keep the malware out.
>>>>>
>>>>> “Keep your finger away from the saw-blade instead of perfecting
>>>>> surgical
>>>>> re-attachment of fingers.”
>>>>>
>>>>> Maybe you can deploy a WINPE image that can clean-up the situation
>>>>> automatically to these systems. It is unlikely that the root-kit has
>>>>> the
>>>>> chops to modify a .WIM image (but hey, maybe! - that will be next.)
>>>>>
>>>>> Good Luck,
>>>>> -Dave
>>>>>
>>>>>
>>>>> -----Original Message-----
>>>>> From: xxxxx@lists.osr.com
>>>>> [mailto:xxxxx@lists.osr.com] On Behalf Of Samir Sousa
>>>>> Sent: Sunday, January 18, 2009 3:42 PM
>>>>> To: Windows System Software Devs Interest List
>>>>> Subject: Re: Re:[ntdev] Re:Change boot driver process.
>>>>>
>>>>> Yes I was. But until this moment we do not have response from they. So
>>>>> time
>>>>> is money, because this we try to build a solution.
>>>>>
>>>>> --------------------------------------------------
>>>>> From: “Maxim S. Shatskih”
>>>>> Sent: Sunday, January 18, 2009 6:32 PM
>>>>> Newsgroups: ntdev
>>>>> To: “Windows System Software Devs Interest List”
>>>>> Subject: Re:[ntdev] Re:Change boot driver process.
>>>>>
>>>>>> Have you sent it to the virus analysts like Kaspersky?
>>>>>>
>>>>>> –
>>>>>> Maxim S. Shatskih
>>>>>> Windows DDK MVP
>>>>>> xxxxx@storagecraft.com
>>>>>> http://www.storagecraft.com
>>>>>>
>>>>>> “Samir Sousa” wrote in message
>>>>>> news:xxxxx@ntdev…
>>>>>>> The problem is do it in 2500 computers, and also a problem if the
>>>>>>> trojan
>>>>>>> reinstall in OS, because this, we try to build a solution to do this
>>>>>>> allways
>>>>>>> when windows starts. We have Sations in other countrys, I think the
>>>>>>> best
>>>>>>> solution to us is develop a solution.
>>>>>>>
>>>>>>> Regards.
>>>>>>>
>>>>>>> --------------------------------------------------
>>>>>>> From: “Maxim S. Shatskih”
>>>>>>> Sent: Sunday, January 18, 2009 6:27 PM
>>>>>>> Newsgroups: ntdev
>>>>>>> To: “Windows System Software Devs Interest List”
>>>>>>>
>>>>>>> Subject: Re:[ntdev] Change boot driver process.
>>>>>>>
>>>>>>>>> This application is for to delete some files used by a trojan,
>>>>>>>>> with
>>>>>>>>> most
>>>>>>>>> popular AV don´t detect here and also don´t delete the main files.
>>>>>>>>> The problem is:
>>>>>>>>> This trojan install a .sys(Image sys Driver) with protects, all
>>>>>>>>> files
>>>>>>>>> used
>>>>>>>>> by trojan to be deleted in boot process.
>>>>>>>>
>>>>>>>> The tool to delete this trojan should be runned off a separately
>>>>>>>> booted
>>>>>>>> recovery WinPE CD.
>>>>>>>>
>>>>>>>> –
>>>>>>>> Maxim S. Shatskih
>>>>>>>> Windows DDK MVP
>>>>>>>> xxxxx@storagecraft.com
>>>>>>>> http://www.storagecraft.com
>>>>>>>>
>>>>>>>>
>>>>>>>> —
>>>>>>>> NTDEV is sponsored by OSR
>>>>>>>>
>>>>>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>>>>>> http://www.osr.com/seminars
>>>>>>>>
>>>>>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>>>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>> —
>>>>>> NTDEV is sponsored by OSR
>>>>>>
>>>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>>>> http://www.osr.com/seminars
>>>>>>
>>>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>>>
>>>>>
>>>>> —
>>>>> NTDEV is sponsored by OSR
>>>>>
>>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>>> http://www.osr.com/seminars
>>>>>
>>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>>
>>>>>
>>>>> —
>>>>> NTDEV is sponsored by OSR
>>>>>
>>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>>> http://www.osr.com/seminars
>>>>>
>>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>>
>>>>
>>>> —
>>>> NTDEV is sponsored by OSR
>>>>
>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>> http://www.osr.com/seminars
>>>>
>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>
>>>>
>>>> —
>>>> NTDEV is sponsored by OSR
>>>>
>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>> http://www.osr.com/seminars
>>>>
>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>
>>