Results 1 to 5 of 5
  1. #1
    New Lounger
    Join Date
    Feb 2010
    Location
    Atlanta, Georgia, USA
    Posts
    5
    Thanks
    0
    Thanked 0 Times in 0 Posts

    “Delayed write failure” virus worse than we think?

    Last Saturday I was surfing the Web with one of my PCs (Windows 7, fully updated; MSE installed with real-time protection on; Java, Flash, etc. updated too). I had a thought "Wouldn't it be nice to get some hi-res wallpapers of old cars in junkyards?" So I Googled a phrase like that and got a bunch of hits. I proceeded to open all the interesting links in new tabs. Without looking at any of the tabs I had opened yet, I must have opened about 15 links in new tabs when suddenly my PC went crazy. I got a cascade of many error dialog boxes all over the screen that said something about delayed write failure. This PC has always been super solid, so I was suspicious. I decided to reboot the PC. Lots of strange things happened when it rebooted. I recall that my desktop was black instead of displaying my wallpaper, and I got a couple of error messages saying something bad about ATI's CCC (Catalyst Control Center). But then a large window popped up that was called something like "Windows System Checker," and it started in right away "checking my hard drive for errors." The Windows System Checker window had good graphics, clean layout, no bad spelling or grammar and a nice moving icon while my hard drive was being "checked." It said it found errors on my hard drive, but when it finished the second checking category and found 3 problems with my RAM too, I knew for sure I had been fooled.

    I turned off my PC, rebooted it from my Acronis recovery CD, and restored a C: image (and boot sector) that I had made a few days previous. The restore was successful, and my PC was completely back to normal. But just to be safe I made sure I had the latest MSE definitions and did a full scan of everything on all drives, all partitions. It took a couple of hours and found no problems. Just to be even safer, I got the latest Malwarebytes Anti-Malware definitions and did a full scan with it too. Result: no problems found.

    It doesn’t end there. I periodically use SyncToy to synchronize all the files on my separate data partition with the data partition on another PC. I got around to doing a SyncToy sync the next day. I always preview the sync before actually committing to perform the operation. I usually get a small number of files that need synchronizing, but this time I got tens of thousands. Looking over the results I saw that all the changed files were on the PC that had the virus attack, they were all in my Documents folder, but not all files were affected. The files that were affected were in the first bunch of subfolders going alphabetically through my Documents folder. But wait – there’s more: The date, time, and filesize of the affected files were not changed. I’m not sure how, but SyncToy must have detected something else that changed about these files.

    PCs and their data are such an important part of my life that I tend to have backups of my backups of my backups. In this case, I was able to use my Windows Home Server backup made the day before the virus attack to restore all the affected subfolders in my Documents folder. I re-ran SyncToy and got the right results this time – only a few files, the ones that I recalled working on, needed synchronization.

    I’d say I am very lucky that not only do I do multiple backups using multiple methods, but if I hadn’t also been doing this data synchronizing thing with SyncToy I might not have detected that something possibly malicious had lingered in thousands of my data files. I am writing all this, for those of you who have gotten this far, because no Web accounts of the “delayed write failed” virus that I skimmed mention this insidious change that its fake “Windows System Checker” made to thousands of the files in my Documents folder. And neither MSE nor Malwarebytes Anti-Malware can detect the changes this virus made to my data files.

  2. #2
    Super Moderator RetiredGeek's Avatar
    Join Date
    Mar 2004
    Location
    Manning, South Carolina
    Posts
    6,378
    Thanks
    207
    Thanked 829 Times in 762 Posts
    Radiophile,

    Do you have a link scanner installed? I, along with a lot of loungers, use Web of Trust {WOT}. It that little green circle isn't there next to a link you know not to click on it. I'd highly suggest you install a link scanner if you don't have one.
    May the Forces of good computing be with you!

    RG

    VBA Rules!

    My Systems: Desktop Specs
    Laptop Specs


  3. #3
    Silver Lounger Banyarola's Avatar
    Join Date
    Dec 2009
    Location
    Big Indian, New York
    Posts
    1,854
    Thanks
    7
    Thanked 63 Times in 52 Posts
    Radiophile, I found this very interesting...

    Thanks for posting it...

    I have found that Malewarebytes Pro also blocks malicious sites.

    RG, I also had WOT but not anymore and after your post and Radiophile's I think I will re-install it...

    It's a scary world out there...
    "If You Are Reading This In English, Thank A VET"

  4. #4
    New Lounger
    Join Date
    Feb 2010
    Location
    Atlanta, Georgia, USA
    Posts
    5
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Thanks RetiredGeek and Banyarola.

    Thinking more about this viral attack, I'm concerned that MSE, which had "real-time protection" turned on, failed to detect this malicious program. The Web is full of reports about a "delayed write failure" virus; I would have thought that I would have been protected. And I'm pretty certain that the virus modified thousands of my document files, yet both MSE and Malwarebytes failed to detect it. As a result, I feel very much less safe than before, and have redoubled my efforts to have backups of my backups of my backups to make sure I can recover from future infections as easily as I did this time.

    About the link scanner: No, I didn't have one installed. I wasn't aware of them, really. All those years of bragging that "I've never had a computer virus" made me overly self-confident about the risks I guess. Anyway, I went searching for other link scanners in addition to WOT and I found AVG Linkscanner. I installed AVG on one PC (the one that got the virus) and am testing it now. I think I prefer it because it says on its Web site: "It doesn't rely on opinion - it looks at what's really on the web page." I think that WOT, in contrast, just uses a ratings database of user reports. Let me know if I'm off-base in thinking AVG is better.

  5. #5
    Super Moderator RetiredGeek's Avatar
    Join Date
    Mar 2004
    Location
    Manning, South Carolina
    Posts
    6,378
    Thanks
    207
    Thanked 829 Times in 762 Posts
    Radiophile,

    The thing to remember is that the Virus products, doesn't matter which one, are ALWAYS playing catchup with the virus writers. You need to consider AV as only one arrow in you quiver of security along with HW & SW Firewals and safe surfing practices.

    I don't look at WOT as merely opinion but the opinion of a whole lot of people 5 Million plus. The law of averages are on the side of the masses. Ask any insurance agent! AVG while a good product, I used to use it myself, is never the less a commercial company and they, like all companies, are always looking for a way to make a buck and by using their scanner you are basically giving them access to your searches. Your call.
    May the Forces of good computing be with you!

    RG

    VBA Rules!

    My Systems: Desktop Specs
    Laptop Specs


Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •