How does this malware target the system?

[Victek]

I recently reinstalled Windows XP for a customer with a badly infected
system. I didn't do a repair - I deleted the partition and did a complete
reinstall. The first time I opened Internet Explorer 6 on the system I got
a pop-up for XP Antivirus 2008, which the customer was getting before the
reinstall. When this happened the system already had SP2 and Trend Micro
2008 fully updated. Is it possible for this malware to hide somewhere and
survive a complete reinstall? Is the customer's IP address is being
targeted? Poisoned DNS? Any ideas appreciated.

 

[Sohtyaelehtreklats]

You did a clean install was it a clean install that included SP2 or was SP2
installed after the install? If the former then it could be DNS. Or did you
restore any backed up files you made before the install, if so then they may
have been infected.

 

[Bullwinkle]

Did you format the disk before installing Windows XP. if you didn't you only
deleted the directory where windows sits.

If you want to do a clean install you need to format the disk during the
install.

Regards,

 

[Gaz]

Did you format the disk before installing Windows XP. if you didn't
you only deleted the directory where windows sits.

If you want to do a clean install you need to format the disk during
the install.

Regards,

The OP said he did a format and a clean install.

Gaz

 

[Gaz]

I recently reinstalled Windows XP for a customer with a badly infected
system. I didn't do a repair - I deleted the partition and did a
complete reinstall. The first time I opened Internet Explorer 6 on
the system I got a pop-up for XP Antivirus 2008, which the customer
was getting before the reinstall. When this happened the system
already had SP2 and Trend Micro 2008 fully updated. Is it possible
for this malware to hide somewhere and survive a complete reinstall? Is
the customer's IP address is being targeted? Poisoned DNS? Any
ideas appreciated.

A few questions.

i) did the install come with sp2, or did you do an sp2 upgrade after
installation?
ii) Does the computer connect to the internet through a router?

Gaz

 

[Victek]

Did you format the disk before installing Windows XP. if you didn't you
only
deleted the directory where windows sits.

If you want to do a clean install you need to format the disk during the
install.

Regards,

I deleted the partition (actually two partitions), created a new partition
and "quick formatted". Quick formatting was possible because the two old
partitions were NTFS. It's a lot faster, but I know it doesn't actually go
through and overwrite every sector.

 

[Victek]

I recently reinstalled Windows XP for a customer with a badly infected

A few questions.

i) did the install come with sp2, or did you do an sp2 upgrade after
installation?
ii) Does the computer connect to the internet through a router?

Gaz

SP2 was included in the OS CD, not added afterward. Regarding the install I
deleted two smaller partitions, created one new large partition and quick
formatted it with NTFS.

The computer connected directly to a DSL modem. The included XP firewall
was turned ON. At the time I didn't think to go into the modem settings to
see if they had been messed with.

 

[Gaz]

SP2 was included in the OS CD, not added afterward. Regarding the
install I deleted two smaller partitions, created one new large
partition and quick formatted it with NTFS.

The computer connected directly to a DSL modem. The included XP
firewall was turned ON. At the time I didn't think to go into the
modem settings to see if they had been messed with.

Some versions of java, which might come preinstalled on some manufacturer's
xp cds were susceptible to such infections without any further intervention
by the user.

The use of a usb modem of course, even with the sp2 firewall on, exposes an
unpatched ie6 in a way that a router wouldnt.

Gaz

 

[Gabriele Neukam]

The first time I opened Internet Explorer 6 on the system I got a pop-up for
XP Antivirus 2008, which the customer was getting before the reinstall.

My sister had pop ups of the fakealert kind although the Microsoft
Messenger was de-activated, after hitting the wrong button once in a
message box; and I had a hard time getting the trojan off her machine.

The message that made her download the trojan, was accessed via Google
Toolbar, or more precisely its chat line.


Gabriele Neukam

(e-mail address removed)