Brand new Dell - already infected?

[Guest]

I just purchased a new Dell Dimension 9100 (new line for Dell). I loaded
Mcafee VirusScan, Firewall and Privacy Service and then downloaded updates
for all of the preceeding Mcafee programs (there were many). I also
downloaded all
critical Windows Security downloads. Everything is working fine except when I
work with wordpad/notepad/word or other Microsoft programs. At random, when
I open these files, I recieve IE shutdown errors. I created a new wordpad and
notepad file, saved both and re-opened them: everything seemed fine. Then I
ran Windows Explorer and when I tried to open the wordpad file with explorer,
I received IE shutdown errors. The error report included:
C:\DOCUME~1\HBT\LOCALS~1\Temp\WERed75.dir00\drwtsn32.exe.mdmp
C:\DOCUME~1\HBT\LOCALS~1\Temp\WERed75.dir00\appcompat.txt. The HBT directory
is one that was created when I first turned on my Dell and went through the
initial installation wizard. The errors do not seem to take place along any
specific pattern which makes this wreak of malware. Any advice would be
greatly appreciated. I ran McAfee virusscan and no problems were found. I
also installed and ran Spybot S&D and Adaware, but no problems were found.
Any advice would be GREATLY APPRECIATED! Bryan

 

[David H. Lipman]

From: "bryan" <[email protected]>

| I just purchased a new Dell Dimension 9100 (new line for Dell). I loaded
| Mcafee VirusScan, Firewall and Privacy Service and then downloaded updates
| for all of the preceeding Mcafee programs (there were many). I also
| downloaded all
| critical Windows Security downloads. Everything is working fine except when I
| work with wordpad/notepad/word or other Microsoft programs. At random, when
| I open these files, I recieve IE shutdown errors. I created a new wordpad and
| notepad file, saved both and re-opened them: everything seemed fine. Then I
| ran Windows Explorer and when I tried to open the wordpad file with explorer,
| I received IE shutdown errors. The error report included:
| C:\DOCUME~1\HBT\LOCALS~1\Temp\WERed75.dir00\drwtsn32.exe.mdmp
| C:\DOCUME~1\HBT\LOCALS~1\Temp\WERed75.dir00\appcompat.txt. The HBT directory
| is one that was created when I first turned on my Dell and went through the
| initial installation wizard. The errors do not seem to take place along any
| specific pattern which makes this wreak of malware. Any advice would be
| greatly appreciated. I ran McAfee virusscan and no problems were found. I
| also installed and ran Spybot S&D and Adaware, but no problems were found.
| Any advice would be GREATLY APPRECIATED! Bryan


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } three batch files, five Kixtart scripts, one Link
(.LNK) file, a PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
simplify the process of using; Sophos, Trend and McAfee Anti Virus Command Line Scanners to
remove
viruses, Trojans and various other malware.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode. This
way all the components can be downloaded from each AV vendor’s web site.
The choices are; Sophos, Trend, McAfee, Exit the menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

* * * Please report back your results * * *

 

[Alan]

I just purchased a new Dell Dimension 9100 (new line for Dell). I loaded
Mcafee VirusScan, Firewall and Privacy Service and then downloaded updates
for all of the preceeding Mcafee programs (there were many). I also
downloaded all
critical Windows Security downloads. Everything is working fine except when I
work with wordpad/notepad/word or other Microsoft programs. At random, when
I open these files, I recieve IE shutdown errors. I created a new wordpad and
notepad file, saved both and re-opened them: everything seemed fine. Then I
ran Windows Explorer and when I tried to open the wordpad file with explorer,
I received IE shutdown errors. The error report included:
C:\DOCUME~1\HBT\LOCALS~1\Temp\WERed75.dir00\drwtsn32.exe.mdmp
C:\DOCUME~1\HBT\LOCALS~1\Temp\WERed75.dir00\appcompat.txt. The HBT directory
is one that was created when I first turned on my Dell and went through the
initial installation wizard. The errors do not seem to take place along any
specific pattern which makes this wreak of malware. Any advice would be
greatly appreciated. I ran McAfee virusscan and no problems were found. I
also installed and ran Spybot S&D and Adaware, but no problems were found.
Any advice would be GREATLY APPRECIATED! Bryan

For a brand new Dell you should be calling Dell Tech Support. You
paid for their service in the price of the PC.

 

[Guest]

Dell tech support does not want to help me despite my support agreement. They
told me that this is a problem with Microsoft programs which is not covered
(which I do not believe). In a prior call, they gave me bad information.
Maybe I spoke to a new person, but for now I guess I will try the above
suggestions. Bryan

 

[Leythos]

Dell tech support does not want to help me despite my support agreement. They
told me that this is a problem with Microsoft programs which is not covered
(which I do not believe). In a prior call, they gave me bad information.
Maybe I spoke to a new person, but for now I guess I will try the above
suggestions. Bryan

What type of internet connection do you have?

If you have DSL or Cable, then get a NAT Router to connect between your
ISP's router and your computer - this will let you reinstall Windows and
everything else without being compromised in the process.

 

[Guest]

I am not very technical and am not sure what these instructions mean. When I
run the command it gives me the choices you state. Do I select Mcafee? Will
this run a scan that is external to Mcafee? I'm confused.

 

[David H. Lipman]

From: "bryan" <[email protected]>

| I am not very technical and am not sure what these instructions mean. When I
| run the command it gives me the choices you state. Do I select Mcafee? Will
| this run a scan that is external to Mcafee? I'm confused.

If you choose; McAfee, Trend or Sophos it will automatically go to the respective AV
vendor's web site and download the needed AV command line scanner and signature files. Upon
the download completion and the file extraction (they are distributed in archive formats),
it will ask if you wan to run a scan. If the answer is YES, it will then ask if you want to
scan a particular location (such as F: or d:\program files ) either way it will scan either
the selected location or all hard disks and clean the PC of infectors accordingly.

Thye Multri AV Scanner front end utility will keep the three vendor's files up-to-date and
and is an excellent "On Demand" anti virus scanner utility.

 

[Guest]

Dave,
Thank you for your help. I ran the scan for Mcafee in normal mode and
here are the results:

Scanning C: []
Scanning C:\*.*

Summary report on C:\*.*
File(s)
Total files: ........... 137953
Clean: ................. 137808
Possibly Infected: ..... 0
Cleaned: ............... 0
Non-critical Error(s): 2
Master Boot Record(s): ......... 1
Possibly Infected: ..... 0
Boot Sector(s): ................ 1
Possibly Infected: ..... 0


Time: 00:24.49

I ran the c:\AV_CLS\startmenu.BAT and then answered Y to run the scan.
Should I repeat the same steps in safe mode?

 

[Leythos]

If you choose; McAfee, Trend or Sophos it will automatically go to the respective AV
vendor's web site and download the needed AV command line scanner and signature files.

NO IT WONT - Mcrappy requires you to register the product and agree to a
control being installed before you can get automatic updates. I've seen
more McCrappy protected machines infected due to their now doing
automatic updates without registration.

 

[Leythos]

I ran the c:\AV_CLS\startmenu.BAT and then answered Y to run the scan.
Should I repeat the same steps in safe mode?

Did you open McCrappy, and select Update? If you did, did you complete
the registration in order to get the updates?

If you didn't complete the on-line registration then you have little
protection.

And yes, it's always best to run AV scan's on suspected machines in Safe
Mode.

 

[Guest]

I rebooted into safe mode and ran C:\AV_CLS\Startmenu.bat. The results were
similar:

Summary report on C:\*.*
File(s)
Total files: ........... 137950
Clean: ................. 137823
Possibly Infected: ..... 0
Cleaned: ............... 0
Non-critical Error(s): 2
Master Boot Record(s): ......... 1
Possibly Infected: ..... 0
Boot Sector(s): ................ 1
Possibly Infected: ..... 0

What should I do next?

 

[Leythos]

I rebooted into safe mode and ran C:\AV_CLS\Startmenu.bat. The results were
similar:

But you didn't say if you registered McAfee or not? If you don't
register it, it won't have the updates to catch the latest bad things.

 

[Guest]

When I installed Mcafee, I registered the product and downloaded ALL updates.
I am completely up-to-date with Mcafee. Sorry, I thought I had mentioned that
in my original post. Thanks. Now what do I do? Dell says they won't help me
unless I pay them $50 for special support (despite the fact that I have a
support agreement). I should have some support calls free from Microsoft -
right??? I think I'm starting to panic.

 

[Leythos]

When I installed Mcafee, I registered the product and downloaded ALL updates.
I am completely up-to-date with Mcafee. Sorry, I thought I had mentioned that
in my original post. Thanks. Now what do I do? Dell says they won't help me
unless I pay them $50 for special support (despite the fact that I have a
support agreement). I should have some support calls free from Microsoft -
right??? I think I'm starting to panic.

If your machine is compromised there is only one way to ensure it's
clean - load the system restore CD's and wipe everything. When we have
to certify that a machine is clean, we wipe the drive and reinstall from
scratch, that's the only way to be sure. No matter how many AV scan's
you run, no matter how many spyware tools you use, they are all
"reactionary", meaning they don't always have a cure until it's already
been in the wild and exposed.

Since Dell doesn't have an obligation to support software you've
installed, and since you admitted to them that you messed it up, don't
feel bad about Dell wanting money to help you fix a software issue that
you created.

If you want it clean, wipe it and start over - this time get a NAT
device connected before you start, and don't surf anywhere until you get
all of the Windows Updates and your AV software installed - and Use
FireFox as a browser from now on.

 

[Guest]

WAIT! I did NOT install any of the ms applications. My Dell came
pre-installed with xp sp2 and Microsoft Office. I did not mess ANYTHING up.
It came this way! Why do you say that I admitted to messing up?

 

[Lanwench [MVP - Exchange]]

In

WAIT! I did NOT install any of the ms applications. My Dell came
pre-installed with xp sp2 and Microsoft Office. I did not mess
ANYTHING up. It came this way! Why do you say that I admitted to
messing up?

I don't think you need to take affront here....what I understood Leythos to
mean is that the machine didn't ship to you with a virus on it. That
happened after you started using it.

The issue seems to be that you connected to the Internet without a firewall
enabled. Is that the case? It takes only nanoseconds for you to get hit by
something - and this is true on dialup, as well.

Given that you haven't used the computer much, it may indeed be faster to
reload everything from the recovery CDs.

Also - if you haven't paid for McAfee, you may want to look into another
antivirus program - McAfee isn't a favorite of many of us. I personally like
Trend's PC-Cillin for standalone workstations, but there are as many

 

[David H. Lipman]

From: "bryan" <[email protected]>

| Dave,
| Thank you for your help. I ran the scan for Mcafee in normal mode and
| here are the results:
|
| Scanning C: []
| Scanning C:\*.*
|
| Summary report on C:\*.*
| File(s)
| Total files: ........... 137953
| Clean: ................. 137808
| Possibly Infected: ..... 0
| Cleaned: ............... 0
| Non-critical Error(s): 2
| Master Boot Record(s): ......... 1
| Possibly Infected: ..... 0
| Boot Sector(s): ................ 1
| Possibly Infected: ..... 0
|
| Time: 00:24.49
|
| I ran the c:\AV_CLS\startmenu.BAT and then answered Y to run the scan.
| Should I repeat the same steps in safe mode?

No. You could run Sophos and Trend Micro as a verification. The idea of running in Safe
Mode is if there is an infector found and it is easy to remove in Safe Mode. McAfee AV scan
found no viruses or non-viral malware -- that's good !

{ BTW: 138,000 files in 25 mins. nice speed ;-) }

 

[David H. Lipman]

From: "Leythos" <[email protected]>

|
| NO IT WONT - Mcrappy requires you to register the product and agree to a
| control being installed before you can get automatic updates. I've seen
| more McCrappy protected machines infected due to their now doing
| automatic updates without registration.
|
| --
|
| (e-mail address removed)
| remove 999 in order to email me

Thaey are NOT MS updates. This is my own scripted front end to McAfee and Sophos' Command
Line Scanners and Trend Micro's Sysclean utility. If you run the script it will provide a
menu and if you choose a scanner module it will do as I indicated.

Give it a shot Leythos !

 

[David H. Lipman]

From: "Leythos" <[email protected]>

|
| But you didn't say if you registered McAfee or not? If you don't
| register it, it won't have the updates to catch the latest bad things.
|

NO Registration is needed !

 

[David H. Lipman]

From: "bryan" <[email protected]>

| WAIT! I did NOT install any of the ms applications. My Dell came
| pre-installed with xp sp2 and Microsoft Office. I did not mess ANYTHING up.
| It came this way! Why do you say that I admitted to messing up?


There is confusion in this thread...

Your system is clean, and doubtfully compramised.

Run the Sophos and Trend Micro modules in the Multi AV Scanner utility for verification.