Loading ...
Sorry, an error occurred while loading the content.

Re: [NTB] Re: Problems opening many files at once from Windows "search".

Expand Messages
  • Robbie Hatley
    ... The problem is, it is known that Win32/Virut corrupts asp, aspx, php, htm, and html files by adding the following string just before the closing body tag:
    Message 1 of 12 , Nov 1, 2007
    • 0 Attachment
      Sheri wrote:

      > --- In notetab@yahoogroups.com, "Robbie Hatley" <lonewolf@...> wrote:
      >
      > > I should be able to set "File Mask" to "\\*.*" (all files in all
      > > directories on all drives), set "Find What" to the viral string,
      > > and leave "Replace With" blank. MUCH easier than the way I was
      > > doing it.
      >
      > Oh dear that would *not* have been my recommendation. :(
      > I would suggest to target files with specified extensions at the very
      > least. You wouldn't want to use NoteTab to edit exe file, for example.

      The problem is, it is known that Win32/Virut corrupts asp, aspx, php,
      htm, and html files by adding the following string just before the closing
      body tag:

      {ifraeme src="hxxp://ntkrnlpa.info/rc/?i=1" width=1 height=1 style="border:0"}{/ifraeme}

      (altered for safety: braces instead of angle-brackets, ifraeme instead of iframe,
      and hxxp instead of http)

      (WARNING: DO NOT VISIT THAT WEB SITE! IT WILL INFECT YOUR COMPUTER!)

      But I have no reason to assume that it does not corrupt any other kind of file.
      It might! So the scan must be for *all* files.

      As for exe, we do know that Win32/Virut does not attempt to insert
      the iframe html text string in such files, so NoteTab won't find the string
      in them, even though it will look. I believe the virus always looks for
      {/body} and inserts the iframe element before that.

      This is one case where it's quite ok to have NoteTab spend several hours
      scrutinizing every single file on your computer. The price of missing just
      one instance of the viral string is too high. (Ie, reinfection, with subsequent
      destruction of all exe files in all partitions of your computer, requiring
      re-formatting your hard disk and re-installing the operating system and
      all software, settings, and data.)

      --
      Cheers,
      Robbie Hatley
      lonewolf aatt well dott com
      www dott well dott com slant user slant lonewolf slant
    • Robbie Hatley
      ... Several hours. I didn t do it all in one session, so I can t give the precise time. That was for my C, D, E, F drives. (Those 4 partitions are on my 3
      Message 2 of 12 , Nov 1, 2007
      • 0 Attachment
        <buralex@...> wrote:

        > "Robbie Hatley" <lonewolf@...> said on Oct 28, 2007 21:22 -0400
        > (in part):
        > > I see "Search Disk" has a sub-tab called "Replace in Files". I should
        > > be able
        > > to set "File Mask" to "\\*.*" (all files in all directories on all
        > > drives), set
        > > "Find What" to the viral string, and leave "Replace With" blank.
        > > MUCH easier than the way I was doing it.
        > Hmmm .... I have 1,027,000 files on my C:\ harddrive.
        > Please post back with how long it takes Notetab to do a search-replace
        > on ALL files in ALL folders with ALL extensions :-)

        Several hours. I didn't do it all in one session, so I can't give the precise time.
        That was for my C, D, E, F drives. (Those 4 partitions are on my 3 internal
        physical hard disks.)

        I see now, to my horror, that my two backup partitions (on an external
        300GB maxtor firewire hard disk) are also heavily infected with Win32/Virut.
        Sigh. This virus is SO damn invasive! :-( It took AVG an hour to disinfect
        the drives (by moving most of the exe files to the vault; it couldn't repair
        them). But AVG doesn't check for inserted iframes in asp, aspx, php, htm,
        and html files; so I have to use NoteTab to search and erase the iframes.
        Several more hours, I imagine. Sigh. At least I can multitask while it's
        doing it. And sleep. By the time I wake up, hopefully it'll be finished.

        --
        Cheers,
        Robbie Hatley
        lonewolf aatt well dott com
        www dott well dott com slant user slant lonewolf slant
      • Dave
        Hi If this was my machine I would get it clean as best I could and ghost the hard drives and keep a copy in case you get something again. THANKYOU DAVE M ...
        Message 3 of 12 , Nov 2, 2007
        • 0 Attachment
          Hi
          If this was my machine I would get it clean as best I could and ghost the
          hard drives and keep a copy in case you get something again.
          THANKYOU DAVE M
          ----- Original Message -----
          From: "Robbie Hatley" <lonewolf@...>
          To: <notetab@yahoogroups.com>
          Sent: Thursday, November 01, 2007 10:45 PM
          Subject: Re: [NTB] Re: Problems opening many files at once from Windows
          "search".


          > <buralex@...> wrote:
          >
          >> "Robbie Hatley" <lonewolf@...> said on Oct 28, 2007 21:22 -0400
          >> (in part):
          >> > I see "Search Disk" has a sub-tab called "Replace in Files". I should
          >> > be able
          >> > to set "File Mask" to "\\*.*" (all files in all directories on all
          >> > drives), set
          >> > "Find What" to the viral string, and leave "Replace With" blank.
          >> > MUCH easier than the way I was doing it.
          >> Hmmm .... I have 1,027,000 files on my C:\ harddrive.
          >> Please post back with how long it takes Notetab to do a search-replace
          >> on ALL files in ALL folders with ALL extensions :-)
          >
          > Several hours. I didn't do it all in one session, so I can't give the
          > precise time.
          > That was for my C, D, E, F drives. (Those 4 partitions are on my 3
          > internal
          > physical hard disks.)
          >
          > I see now, to my horror, that my two backup partitions (on an external
          > 300GB maxtor firewire hard disk) are also heavily infected with
          > Win32/Virut.
          > Sigh. This virus is SO damn invasive! :-( It took AVG an hour to
          > disinfect
          > the drives (by moving most of the exe files to the vault; it couldn't
          > repair
          > them). But AVG doesn't check for inserted iframes in asp, aspx, php, htm,
          > and html files; so I have to use NoteTab to search and erase the iframes.
          > Several more hours, I imagine. Sigh. At least I can multitask while it's
          > doing it. And sleep. By the time I wake up, hopefully it'll be finished.
          >
          > --
          > Cheers,
          > Robbie Hatley
          > lonewolf aatt well dott com
          > www dott well dott com slant user slant lonewolf slant
          >
          >
          >
          > Fookes Software: http://www.fookes.com/
          > The NoteTab Clips List: http://groups.yahoo.com/group/ntb-clips/
          > The NoteTab Off Topic List: http://groups.yahoo.com/group/ntb-offtopic/
          >
          > Yahoo! Groups Links
          >
          >
          >
          >
        Your message has been successfully submitted and would be delivered to recipients shortly.