Virus in XP?

[CoolMoD]

I have a student in my A+ intro class that has the following problem on his
HP running XP Home:

- First he was invaded with spyware which he thought he cleared. Now he's
slowly loosing everything on his computer (Start | All Programs is blank,
icons are disappearing, sections of the Registry are disappearing, etc.) His
\Windows directory has as about 40 subdirectories that start out with
$upuninstall... and contain entries saying the shell32.dll is being moved.
Internet research says this has to do with a Service Pack update. Problem
is, he's never loaded an SP upgrade.

- So, we attempted to FDISK the hard drive. Here's the big problem: No
access to floppy or CD-ROM drive (will read the directory on CD-ROM but not
allow access to any .exe). CMOS has both as booting to before HD but
computer refuses to recognize anything in those drives nor boot to them.

My guess is some type of CMOS / Boot Sector virus but Norton AV (before that
too stopped working) didn't find anything.

Any ideas? I've toyed with the idea of hooking it up as a slave to a junk
computer we have in class any trying to FDISK with a startup disk.

Any advice would be greatly appreciated.

Don

 

[Yves Leclerc]

SP2 get automatically installed if Automatic Updates is turned on.

To re-format the system completely, you will need to boot from the XP
install CD, since this is the ONLY startup disk that will allow you to
completely re-install XP. Once booted, remove the XP partition(s) and
recreate them. Tghen, let XP install itself.

 

[Raymond J. Johnson Jr.]

| SP2 get automatically installed if Automatic Updates is turned on.
|
| To re-format the system completely, you will need to boot from the XP
| install CD, since this is the ONLY startup disk that will allow you to
| completely re-install XP. Once booted, remove the XP partition(s) and
| recreate them. Tghen, let XP install itself.
|

Great. And how will the OP do that if the CD drive won't read the disk at
boot time?

 

[Nepatsfan]

If you check the documentation for his MB there should be jumpers that can
be used to reset the BIOS to the factory settings. You might also want to
pull the CMOS battery as well. Now see if you can change the boot order and
access the floppy and/or CD drive. Keep in mind that if the machine needed a
BIOS upgrade before, it would now have to be reinstalled. Good luck.

Nepatsfan

 

[Leythos]

Any ideas? I've toyed with the idea of hooking it up as a slave to a junk
computer we have in class any trying to FDISK with a startup disk.

Reset the BIOS to defaults - pull the battery, short the pins according
to the user manual.

Set the BIOS to allow booting from the CD-ROM drive.

Make sure that the CD'ROM drive is properly installed, not off of a
sound card.

Place the XP Full Version disk in the drive, boot computer.

If this is a new computer you might be asked to press a key to boot from
CD.

If you can't boot from this CD-ROM drive, get another CD-ROM drive. If
the system won't allow the selection of BOOT from CD, then you need to
make a BOOTABLE DISKETTE with CD-ROM Drivers.

 

[CoolMoD]

Thanks all,

You gave me some good ideas. I'll try them when our class meets next.

Don

 

[NobodyMan]

I have a student in my A+ intro class that has the following problem on his
HP running XP Home:

- First he was invaded with spyware which he thought he cleared. Now he's
slowly loosing everything on his computer (Start | All Programs is blank,
icons are disappearing, sections of the Registry are disappearing, etc.) His
\Windows directory has as about 40 subdirectories that start out with
$upuninstall... and contain entries saying the shell32.dll is being moved.
Internet research says this has to do with a Service Pack update. Problem
is, he's never loaded an SP upgrade.

- So, we attempted to FDISK the hard drive. Here's the big problem: No
access to floppy or CD-ROM drive (will read the directory on CD-ROM but not
allow access to any .exe). CMOS has both as booting to before HD but
computer refuses to recognize anything in those drives nor boot to them.

My guess is some type of CMOS / Boot Sector virus but Norton AV (before that
too stopped working) didn't find anything.

Any ideas? I've toyed with the idea of hooking it up as a slave to a junk
computer we have in class any trying to FDISK with a startup disk.

Any advice would be greatly appreciated.

Don

Please don't take this the wrong way, but this isn't a large and
complicated problem, and can be fixed pretty easily and finished in
less than a few hours. Yet you ask for help here. Are you sure you
should be teaching an A+ class?

 

[Bruce Chambers]

I have a student in my A+ intro class that has the following problem on his
HP running XP Home:

- First he was invaded with spyware which he thought he cleared. Now he's
slowly loosing everything on his computer (Start | All Programs is blank,
icons are disappearing, sections of the Registry are disappearing, etc.) His
\Windows directory has as about 40 subdirectories that start out with
$upuninstall... and contain entries saying the shell32.dll is being moved.
Internet research says this has to do with a Service Pack update. Problem
is, he's never loaded an SP upgrade.

- So, we attempted to FDISK the hard drive.

FDisk is an old MS-DOS utility that is neither available or needed
in WinXP.

Formatting the hard drive to solve a virus or spyware problem is
rather like using an axe to trim one's fingernails. Sure, it'll
probably get the job done, but it's rather messy...., and almost
always unnecessary.

My guess is some type of CMOS / .... virus but Norton AV (before that
too stopped working) didn't find anything.

Nothing was found, because there's no such thing. I hope you're
another student in that A+ class and not the instructor.




--

Bruce Chambers

Help us help you:



You can have peace. Or you can have freedom. Don't ever count on having
both at once. - RAH

 

[Leythos]

Formatting the hard drive to solve a virus or spyware problem is
rather like using an axe to trim one's fingernails. Sure, it'll
probably get the job done, but it's rather messy...., and almost
always unnecessary.

Not true in many cases. Once a machine has been compromised, even the
best of us would not stake our reputations on it being cleaned without a
wipe/reinstall.

I have a typical legal disclaimer that the atty's provided - it states
that when cleaning infected machines, unless we've wiped/reinstalled the
machine, that we can not guarantee that we returned it in a completely
uninfected state.

I've had one system, a clients friend, that had a number of dialers and
trojans installed. I spent 6 hours (not sitting in front of it during
the scans) trying to clean it - I really hate to let the buggers get the
best of me. When it came down to it, I was as sure as I could be that it
was clean, but, considering this was a contract job, company on the
line, reputation on the line, I told the person that the only way I
could assure him that it is clean when returned is to wipe/reinstall
everything behind a firewall. I didn't think he needed another $700
phone bill.

This is the only machine, in years, that I was uncertain about, and I
would never have given him a certification of clean unless I had wiped
it.

 

[Alex Nichol]

- So, we attempted to FDISK the hard drive. Here's the big problem: No
access to floppy or CD-ROM drive (will read the directory on CD-ROM but not
allow access to any .exe). CMOS has both as booting to before HD but
computer refuses to recognize anything in those drives nor boot to them.

You do not use an independent boot and FDISK to clean off an XP drive
and format it. You do it as part of a reinstall of the system after
booting the XP CD direct. Enter Setup, and after the license agreement
take New Install. When it asks you to confirm where, hit ESC; select
and delete the current partition and make a new RAW one to be formatted
at the next stage

The important point is the delete. Without that it will just go ahead
and make a new install over the top of the old one

 

[cquirke (MVP Win9x)]

On Tue, 7 Dec 2004 14:15:56 -0500, "Yves Leclerc"

SP2 get automatically installed if Automatic Updates is turned on.

If this is an SP2 issue, I'll catch it when I get down there

To re-format the system completely, you will need to boot from the XP
install CD, since this is the ONLY startup disk that will allow you to
completely re-install XP.

False. Yes, you need the CD; no, you don't have to boot from it, and
to assert control, you may have to *avoid* booting from it.

Once booted, remove the XP partition(s) and
recreate them. Then, let XP install itself.

If you do that, you will likely end up with one big C: that is
formatted as NTFS, with Windows installed to the default directory.
That may not be what you want, but it's all you can get - this way.

To assert a different installation path, you'd want to run the XP
setup with a command line parameter that points to a response file.
In this file, you regain some of the control that Win9x would have
given you, e.g. installation path, tho you may have to jump through
some hoops. For example, SP1 will ignore your choice of installation
path unless you first create an (empty) C:\WINDOWS, which you can then
delete afterwards, after verifying XP is not installed in there.

To control partitioning, you should first boot off an OS with a
compitent partitioning tool, and use that to create and format the
partitions and volumes you want. I'd use a BING diskette from
www.bootitng.com (after cancelling "install" to get partition
maintenance mode) for that - unlike XP, it can create and format FAT32
volumes > 32G (XP will screw that up so you think you have to NTFS)

You are trying to paper over a disaster - which may be malware
infection, or hardware flakiness for all we know (I don't read that
you've done anything to exclude that; I suspect you are just assuming
the hardware's OK, even tho the PC is clearly *not* OK).

Whatever you were doing to keep the PC safe (forget about "secure")
has clearly FAILED. So rebuilding the same doomed mess is a waste of
time - better to find out:
- what attacked you
- how it got in (your screw-up, or the OS screwed up for you)
- how to prevent this happening again

Design flaws can run malware on your behalf; fix is risk management.
Code flaws can run malware on your behalf; fix is to patch before 'net
If you click malware into action, then fix your "safe hex" skills

-------------------- ----- ---- --- -- - - - -

Running Windows-based av to kill active malware is like striking
a match to see if what you are standing in is water or petrol.

 

[cquirke (MVP Win9x)]

CoolMoD wrote:

FDisk is an old MS-DOS utility that is neither available or needed
in WinXP.

Something is needed in XP if you want to create FAT32 volumes over 32G
in size, because XP's too brain-dead to do that. But FDisk doesn't
fit the bill well; it has capacity issues at around 50G (Win95/98) and
again at 99G (fixed 95/98, ME) before hitting the wall at 137G.

So instead, I use BING from www.bootitng.com

Formatting the hard drive to solve a virus or spyware problem is
rather like using an axe to trim one's fingernails. Sure, it'll
probably get the job done, but it's rather messy...., and almost
always unnecessary.

Amen! And because you learn nothing, and fall back to original
unpatched state, your malware hassles will just come back.

Nothing was found, because there's no such thing.

Specifically, true CMOS/BIOS infectors have yet to arise.

You can, however, see:
- CMOS settings changes inflicted by malware, e.g. A: = None
- wiped flash BIOS so motherboard will not POST
- infected boot diskettes, if not write-protected
- infected "data" backups
- infected (at time of creation) CDRs and counterfeit CD-ROMs
- immediately infectable installations (anything < SP2)

On "infected data backups", bear in mind that...
- IE may dump downloads in My Docs by duhfault
- MS Messenger dumps incoming attachments in My Docs
- .PST and OE mailboxes hide received attachments
- IE's engine can be exploited to auto-run code in HTML
- OE and Outlook use IE's engine to (pre-)view "messages"
- MS Office "documents" may contain autorunning malware
- Desktop.ini can be used to autorun code when dir is viewed
....and join the dots from there.

--------------- ----- ---- --- -- - - -

Never turn your back on an installer program

 

[cquirke (MVP Win9x)]

Not true in many cases. Once a machine has been compromised, even the
best of us would not stake our reputations on it being cleaned without a
wipe/reinstall.

Having the PC clean for a new moments before it hits the 'net or has
infected data restored, may be technically meeting your task
objective, but may fail to meet user expectations.

If you don't know what infected the system, and how it did so, how can
you presume it won't happen again?

-------------------- ----- ---- --- -- - - - -

Tip Of The Day:
To disable the 'Tip of the Day' feature...