Jesper L Hansen skrev:
> Jeg har hele tiden haft Norton antivirus 2003 kørende
Jeg kender ikke den version af NAV. Jeg regner ikke med at den er aktiv
når ntldr starter ntoskrnl (det var derfor jeg bad dig lave bootdisket-
ter på en uinficeret maskine og genstarte maskinen med dem i og derefter
lave en komplet scanning af maskinen (med en opdateret emergency disket-
te hvorpå NAV ligger)).
Afhængig af din opsætning af NAV, er det muligt at NAV ikke scanner alle
filer når NAV afvikles fra Windows brugergrænsefladen.
> og jeg har lige lavet en online scanning med Trend Micro's Housecall
> uden at der blev fundet noget..
Afhængig af din opsætning af din browser, er det ikke sikkert at House-
call kan få adgang til systemfiler (jeg kender ikke Housecall).
Læs i øvrigt denne artikel om hvilke programmer der gør hvad:
<URL:
http://www.pcmag.com/article2/0,4149,640479,00.asp >
Efter en hurtig søgning hos symantec.com, efter ordet ntoskrnl, lyder
det som om du er inficeret med en virus i Bolzano-familien eller af en
virus i Homer-familien:
Beskrivelse af Bolzano:
<URL:
http://securityresponse.symantec.com/avcenter/venc/data/w32.bolzano.html >
Beskrivelse af Homer:
<URL:
http://securityresponse.symantec.com/avcenter/venc/data/w97m.homer.html >
De modificerer begge ntoskrnl, så alle brugere på maskinen kan manipulere
alle filer, uanset hvordan filrettighederne er opsat. Når ntoskrnl er in-
ficeret, kan virusen sprede sig ved at enumere fileshares du kan nå fra
din maskine (muligvis også Webfolders, se efter om du har brugt det i
stifinder | my network places | entire network | web client network).
<URL:
http://securityresponse.symantec.com/avcenter/venc/data/w32.bolzano.html >
"In order for the virus to attempt the attack, it needs administrative
rights on a Windows NT Server or Windows NT Workstation during the
initial infiltration. Therefore it is not a major security risk, but
still is a potential threat. Viruses can always wait until the
Administrator or someone with the equivalent rights logs on. In such a
case, W32.Bolzano has the chance to patch ntoskrnl.exe, the Windows NT
kernel, located in the WINNT\SYSTEM32 directory. The virus modifies only
2 bytes in a security API called SeAccessCheck that is part of
ntoskrnl.exe. This way Bolzano is able to give full access to all users
to each file regardless of its protection, whenever the machine is booted
with the modified kernel. This means that a Guest -having the lowest
possible rights on the system- will be able to read and modify all files
including files that are normally accessible only by the Administrator.
This is a potential problem since the virus can spread everywhere it
wants to regardless of the actual access restrictions on the particular
machine. Furthermore after the attack, no data can be considered
protected from any user. The latest variants of Bolzano also patch
MSV1_0.dll in the System32 directory in order to remove password checks
from there.
Unfortunately the consistency of ntoskrnl.exe is checked in only one
place. The loader, ntldr, is supposed to check it when it loads
ntoskrnl.exe into physical memory during machine boot-up. If the kernel
gets corrupted ntldr is supposed to stop loading ntoskrnl.exe and display
an error message even before a "blue screen" appears. In order to avoid
this particular problem W32.Bolzano also patches the ntldr so that no
error message will be displayed and Windows NT will boot just fine even
if its checksum does not match with the original. Since no code checks
the consistency of ntldr itself, the patched kernel will be loaded
without notification to the user. Since ntldr is a hidden, system, read-
only file W32.Bolzano changes the attributes of it to "archive" before it
tries to patch it. The virus does not change the attribute of the ntldr
back to its original value after the patch."
Ntoskrnl laver i alt fald noget, den under normale omstændigheder ikke
skal.
Læs mere om WXP opstartsfiler:
<URL:
http://www.microsoft.com/technet/prodtechnol/winxppro/reskit/prgg_det_pcju.asp >
Læs hvordan du udskifter systemfiler med dem fra install-cden:
<URL:
http://www.microsoft.com/technet/prodtechnol/winxppro/reskit/prgg_det_pvfh.asp >
Det vil sandsynligvis være nødvendigt at geninstallere diverse service-
packs og hotfixes, efter du har fiflet med at udskifte systemfilerne med
de originale versioner.
Det er muligt at det er hurtigere for dig, at lave en komplet frisk in-
stallation fra en upartitioneret harddisk. Brug eventuelt muligheden for
at følge Microsofts råd om sikkerhed fra starten af systemets "liv":
<URL:
http://microsoft.com/technet/security/tips/Overview.asp >
--
Fix Outlook Express 5.*. Nu med emoticons, _understreget_,
/skråtstillet/ og *fed* tekst: <URL:
http://flash.to/oe-quotefix >