Brand new Dell - already infected?

[Guest]

No. You could run Sophos and Trend Micro as a verification. The idea of
running in Safe
Mode is if there is an infector found and it is easy to remove in Safe Mode.
McAfee AV scan
found no viruses or non-viral malware -- that's good !

ok David. I will try Sophos and Trend tonight, although I do not have Sophos
or Trend on my pc. Only Mcafee VirusScan, Privacy and Firewall along with
Spywareblaster for prevention.

 

[David H. Lipman]

From: "bryan" <[email protected]>

| No. You could run Sophos and Trend Micro as a verification. The idea of
| running in Safe
| Mode is if there is an infector found and it is easy to remove in Safe Mode.
| McAfee AV scan
| found no viruses or non-viral malware -- that's good !
|
| ok David. I will try Sophos and Trend tonight, although I do not have Sophos
| or Trend on my pc. Only Mcafee VirusScan, Privacy and Firewall along with
| Spywareblaster for prevention.


Both the Trend Micro Sysclean and the Sophos command line scanner ar in the Multi AV scanner
utility I posted.

 

[David H. Lipman]

From: "bryan" <[email protected]>

REPOST:



Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } three batch files, five Kixtart scripts, one Link
(.LNK) file, a PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
simplify the process of using; Sophos, Trend and McAfee Anti Virus Command Line Scanners to
remove
viruses, Trojans and various other malware.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode. This
way all the components can be downloaded from each AV vendor’s web site.
The choices are; Sophos, Trend, McAfee, Exit the menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

* * * Please report back your results * * *

 

[Leythos]

WAIT! I did NOT install any of the ms applications. My Dell came
pre-installed with xp sp2 and Microsoft Office. I did not mess ANYTHING up.
It came this way! Why do you say that I admitted to messing up?

I was reading what was posted and it seemed to me that you were trying
to get support for software that was not shipped as installed. In the
case of MS Office, as an OEM installation, Dell must provide support,
that's how the OEM agreement works. Microsoft does not provide support
for ANY OEM software installations - unless you want to pay for it.

In case you missed it - you said "When I installed Mcafee" so I assumed
(incorrectly) you had installed it and not just done the update.

 

[Leythos]

From: "Leythos" <[email protected]>


|
| NO IT WONT - Mcrappy requires you to register the product and agree to a
| control being installed before you can get automatic updates. I've seen
| more McCrappy protected machines infected due to their now doing
| automatic updates without registration.
|

Thaey are NOT MS updates. This is my own scripted front end to McAfee and Sophos' Command
Line Scanners and Trend Micro's Sysclean utility. If you run the script it will provide a
menu and if you choose a scanner module it will do as I indicated.

Give it a shot Leythos !

Sorry, I misunderstood - I thought you were talking about the products.
As a IT company/owner I can not push scripts that are published on the
net until I have the source code and time to test them. As it stands,
installing McCrappy does not also update the virus definitions and leave
owners/users greatly unprotected without any real notice that they are
unprotected ( at least none that makes it obvious to the masses of non-
technical users ).

 

[Leythos]

From: "Leythos" <[email protected]>


|
| But you didn't say if you registered McAfee or not? If you don't
| register it, it won't have the updates to catch the latest bad things.
|

NO Registration is needed !

The registration is needed if you want the product to AutoUpdate itself
- the last install we saw was as I said.

 

[Guest]

David,
I ran Sophos. Here are my results:

1 master boot record swept
47819 files swept
133 errors encountered
no viruses detected
112 encrypted files not checked.

I will run the last one (Trend) later tonight and post back). What do you
think of the results of Sophos? Thank you VERY VERY much for your help.
Bryan

 

[David H. Lipman]

From: "bryan" <[email protected]>

| David,
| I ran Sophos. Here are my results:
|
| 1 master boot record swept
| 47819 files swept
| 133 errors encountered
| no viruses detected
| 112 encrypted files not checked.
|
| I will run the last one (Trend) later tonight and post back). What do you
| think of the results of Sophos? Thank you VERY VERY much for your help.
| Bryan


Bryan:

With a McAfee and Sophos scan with nothing found, I think that says much.

The 133 errors are files that can't be opened for read such as password proteced files and
files that have their respective File Handles held open. It's 'Normal' operation.

 

[Guest]

Hi David,
Finished the 3rd scan (Trend) with good results again:
virus count: 0
virus clean count: 0
clean fail count: 0
As with Sophos, many files were 'denied access'. I did some homwork and
found something in the Microsoft KB which says that problems which sound
similar to mine occur due to monitor driver failure/incompatibility;

http://support.microsoft.com/default.aspx/kb/q218609/

Any ideas on how I should proceed? I would call Dell regarding the KB
article, but two calls to Dell Tech support yielded poor information. Looking
forward to your reply. It's 1:35am EDT (yawn). ONCE AGAIN, THANK YOU VERY
MUCH FOR YOUR EXPERTISE. Bryan

 

[Leythos]

Do you realize that for all of the time you've spend, that you could
backup the files you created on your own and have restored the entire
computer in a known good state by wiping it and reinstalling everything.

 

[Guest]

Leythos,
When Dell put this pc together, they gave me a version of XP sp2 with NO
security updates . I spent the entire evening loading 23 updates (Dell told
me to do them 1 at a time but could not explain to me why they did this).

 

[Leythos]

Leythos,
When Dell put this pc together, they gave me a version of XP sp2 with NO
security updates . I spent the entire evening loading 23 updates (Dell told
me to do them 1 at a time but could not explain to me why they did this).

If you had XP + SP2, and you have a NAT router to act as a barrier for
your Internet connection (assuming you don't use Dial-Up), then opening
IE, selecting Tools, Windows Update, and letting it install all the
updates as it wants (meaning as many as it wants each time) is the
proper way to do it.

So, now that you've scanned your system with multiple AV tools, in safe
mode and not in safe mode, and they all show your machine as clean. What
problem remains with your system?

If it's still compromised, or you still have application that don't work
properly, or you really feel the OS is screwed up, then you would be
better off just wiping it and reinstalling everything.

If you were to install Windows XP + SP2 without doing it as an image
restore, meaning you are restoring it as though you bought XP from
BestBuy, it will take about 1 hour to install, then, you have to use the
Dell Drivers CD to install the drivers - about 30 minutes, then you have
to do the Windows Update process - about 30 minutes, then you can load
all your applications. Here's the kicker, if you are not on a protected
network (behind a NAT based system) and you've not secured the system
before you connect to the internet, you will be compromised all over
again.

 

[Guest]

Although I am palanning to eventually move up to high-speed, I am still using
dial up. I would like to look at the information in the Microsoft KB article
which I alluded to in a previous post (although I would like to wait for
David's reply first). The article cites video card/driver incompatibility and
the symptoms sound somewhat similar to what I am experiencing.

http://support.microsoft.com/default.aspx/kb/q218609/

Thank you for your suggestions.

 

[Leythos]

Although I am palanning to eventually move up to high-speed, I am still using
dial up. I would like to look at the information in the Microsoft KB article
which I alluded to in a previous post (although I would like to wait for
David's reply first). The article cites video card/driver incompatibility and
the symptoms sound somewhat similar to what I am experiencing.

http://support.microsoft.com/default.aspx/kb/q218609/

Thank you for your suggestions.

So, download the new/updated video driver from the video car vendors
site and install it in safe mode - or just uninstall the current driver
in safe mode and then it will ask you for the new driver when you reboot
in normal mode.

 

[Guest]

Leythos,
I am even LESS technical when it comes to this type of thing. I hope the
vendor's site is in the owners manual. Or how do I uninstall the current
driver? And when it asks me for the new driver what do I do? THe CD says
documentation so I assume that there are no drivers on the CD? Also, two
types of monitor connectors came with the Dell - a blue and a white. Dell
told me that one is for the older data type (which I am not using). Should I
try to switch lines?

 

[Leythos]

Leythos,
I am even LESS technical when it comes to this type of thing. I hope the
vendor's site is in the owners manual. Or how do I uninstall the current
driver? And when it asks me for the new driver what do I do? THe CD says
documentation so I assume that there are no drivers on the CD? Also, two
types of monitor connectors came with the Dell - a blue and a white. Dell
told me that one is for the older data type (which I am not using). Should I
try to switch lines?

If you have to ask these questions and don't have a way to determine the
answer in a format that you can use - take the computer to a computer
shop and have them fix it - you will save time and get it back working.

I still don't know what your problem is and have not found far enough
back to see what you said it was:

What specifically is your EXACT problem?

 

[Guest]

I MAY HAVE FOUND THE PROBLEM. There is a program called Data Execution
Prevention (DEP). As stated (about 200 posts ago), my microsoft programs were
causing shutdown errors. Before I get the familiar 'Program has encountered a
problem and must close', I get a pop-up menu about DEP. Since I scanned with
about 6 different programs, I feel that my pc is clean, so I disabled DEP for
IE. And now everything works. My only question now is whether I can keep DEP
disabled for IE? Any ideas? Thanks

 

[cquirke (MVP Windows shell/user)]

OK

What files, i.e. do you mean particular data files, or those programs?

Do you mean "IExplore.exe has ... and will be shut down" dialog boxes?
Or BSoD STOP error screens?
Or do you mean Windows shuts down?

OK, that's always a good test. If starting the program, then going
File, Open and opening the data file that way, is OK - but "opening"
the file in Windows Explorer is not, then you have a file association
problem. Malware is a player in this space, in that patching into
commonly-used file associations is a great way to assert malware
activity without using the more obvious startup axis that is
suppressed in Safe Mode and manageable via MSConfig.

What's more interesting here is the LOCALS~1\Temp part, i.e. your user
account's Temp directory. That's an odd place to put code that you
ever want to see again, and it's odd to integrate code in such a,
well, temporary location (any number of things can clear Temp, and
thus break the integration). Smells like m-a-l-w-a-r-e to me :-(

Even "argh that's too difficult" advice?

OK, the "easy" advice is to trust Safe Mode to suppress the malware,
and run your antivirus from there. When that works (which is a lot of
the time) it will be because the malware simply isn't trying that hard
to retain control of your PC.

But we already suspect the malware's smart enough to patch into the
file associations, and thus is likely to be active in Safe Mode too -
potentially including Safe Mode Cmd Only (if you were to "start" a
file that's associated with the malware).

And that's before you consider other integration methods that may be
less buggy, and thus haven't drawn attention to themselves.


http://cquirke.mvps.org/whatmos.htm covers your maintenance OS
options, i.e. how to tackle malware that "owns" your system without
letting it run first. As the malware could be anywhere within the
infected HD and the chain of code that starts from boot, you'd want to
run NO code off that system at all, when scanning it.

Since I wrote that article, Bart PE has come to the foreground as THE
premier maintenance OS for XP.

MS offers zero for you in this regard, and their own WinPE is so
tightly licensed that hardly anyone uses it (or dares admit doing so -
which stifles public collaboration, development, forum support etc.)

Linux isn't safe to write to NTFS, plus it's hard work to learn
another large and complex OS just so that you can maintain some other
OS that can't wipe its own butt.

DOS mode is still useful, but only if you avoid NTFS and your HD stays
on the happy side of the 137G barrier.


The other option is to drop your HD into a clean PC and scan it from
there - that gives you full access to everything that runs in XP.

Trouble is, it's not enough to simply not boot infected code - you
also have to avoid running infected code as a side-effect of handling
"safe" material that is malformed to exploit itself into raw code
action. XP's not very smart on this, to put it mildly, and unlike a
Bart PE CDR, the host system is not read-only, and thus could be
infected by the drive you are trying to scan.

Links:

http://www.nu2.nu/pebuilder/

Forum support:

http://www.911cd.net/forums//index.php?s=2d8129076720e6e30cc2031100d2b258&showforum=30

<shrug> It's neck-deep in the infected OS. If it found a problem,
whether it fixed it or not, or if it died trying, that would tell you
something. If it says it can't find anything, that tells you less.

You're still working within the infected OS, that's what undermines
any certainty there.

In addition to chasing malware, I'd:
- check the hardware (RAM, HD); DoA components happen
- check AutoChk/ChkDsk logs to see what was "fixed" (=corrupted)
- check av logs to see what was "cleaned" (may be corrupted too)
- review installations, looking for "DLL Hell" effects

But that code integration pointing to Temp really does focus the mind
on malware, and that looks the most likely factor.

-------------------- ----- ---- --- -- - - - -

Running Windows-based av to kill active malware is like striking
a match to see if what you are standing in is water or petrol.

 

[cquirke (MVP Windows shell/user)]

(e-mail address removed) says...

If your machine is compromised there is only one way to ensure it's
clean - load the system restore CD's and wipe everything. When we have
to certify that a machine is clean, we wipe the drive and reinstall from
scratch, that's the only way to be sure. No matter how many AV scan's
you run, no matter how many spyware tools you use, they are all
"reactionary", meaning they don't always have a cure until it's already
been in the wild and exposed.

Ah, a favorite myth, this.

Not that you know a PC is clean because you scanned it; sure, there's
always some doubt there. The myth is that you can take a PC that has
FAILED to defend itself, wipe and rebuild it to the same level of
exploitability (or considerably more so, thanks to lost patches and
duhfault settings), and assume that won't get infected the same way.

If you never bothered to detect the malware, and thus haven't a clue
how it got in, then what are you doing differently with the rebuild
that's going to make any difference?

If you want it clean, wipe it and start over - this time get a NAT
device connected before you start, and don't surf anywhere until you get
all of the Windows Updates and your AV software installed - and Use
FireFox as a browser from now on.

Those steps will help, but it's still worth finding out what it is
that you are dealing with, before you wipe away the information that
could have provided that information.

If you're up against a human adversary, then they gain the upper hand;
when your PC vanishes and comes back clean, they know you found out
there was a problem, and they'll be stealthier next time. Whereas
you've learned nothing, and made it impossible to learn anything,
about what your assailant was up to.

Also - that "data" you restored after wiping and starting over; how
sure are you that it is free of malware that can re-spawn?

-- Risk Management is the clue that asks:

"Why do I keep open buckets of petrol next to all the
ashtrays in the lounge, when I don't even have a car?"

 

[cquirke (MVP Windows shell/user)]

Do you realize that for all of the time you've spend, that you could
backup the files you created on your own and have restored the entire
computer in a known good state by wiping it and reinstalling everything.

Two things:

1) It takes longer, the more you do during the install.

Not all of us are content to live with duhfaults, and it can be quite
difficult to find automated ways of doing things that one knows how to
do on an interactive basis. So that makes it longer to rebuild.

2) It takes longer to troubleshoot a recurrance

If you "just" wipe and re-install everything, and then promptly get
re-infected, then what are you going to do - what I did in the first
place? Or are you going to live "Groundhog Day" forever?

If I have to spend time, and can do so in two different ways, I'll
choose the way that teaches me something, and that makes it less
likely for me to have to fight the same battle all over again ;-)

------------------------ ---- --- -- - - - -

Forget http://cquirke.blogspot.com and check out a
better one at http://topicdrift.blogspot.com instead!