Thread: Brand new Dell - already infected?
View Single Post
  #26  
Old August 19th 05, 12:49 AM
cquirke (MVP Windows shell/user)
external usenet poster
  
Posts: n/a
Default
bryan wrote:

I just purchased a new Dell Dimension 9100 (new line for Dell). I loaded
Mcafee VirusScan, Firewall and Privacy Service and then downloaded updates
for Mcafee. I also downloaded all critical Windows Security downloads.

OK

Everything is working fine except when I work with wordpad/notepad/word
or other Microsoft programs. At random, when I open these files

What files, i.e. do you mean particular data files, or those programs?

I recieve IE shutdown errors.

Do you mean "IExplore.exe has ... and will be shut down" dialog boxes?
Or BSoD STOP error screens?
Or do you mean Windows shuts down?

I created a new wordpad and notepad file, saved both and re-opened them:
everything seemed fine. Then I ran Windows Explorer and when I tried to
open the wordpad file with explorer, I received IE shutdown errors.

OK, that's always a good test. If starting the program, then going
File, Open and opening the data file that way, is OK - but "opening"
the file in Windows Explorer is not, then you have a file association
problem. Malware is a player in this space, in that patching into
commonly-used file associations is a great way to assert malware
activity without using the more obvious startup axis that is
suppressed in Safe Mode and manageable via MSConfig.

The error report included:
C:\DOCUME~1\HBT\LOCALS~1\Temp\WERed75.dir00\drwtsn 32.exe.mdmp
C:\DOCUME~1\HBT\LOCALS~1\Temp\WERed75.dir00\appcom pat.txt. The HBT directory
is one that was created when I first turned on my Dell

What's more interesting here is the LOCALS~1\Temp part, i.e. your user
account's Temp directory. That's an odd place to put code that you
ever want to see again, and it's odd to integrate code in such a,
well, temporary location (any number of things can clear Temp, and
thus break the integration). Smells like m-a-l-w-a-r-e to me :-(

The errors do not seem to take place along any specific pattern which
makes this reek of malware. Any advice would be greatly appreciated.

Even "argh that's too difficult" advice?

OK, the "easy" advice is to trust Safe Mode to suppress the malware,
and run your antivirus from there. When that works (which is a lot of
the time) it will be because the malware simply isn't trying that hard
to retain control of your PC.

But we already suspect the malware's smart enough to patch into the
file associations, and thus is likely to be active in Safe Mode too -
potentially including Safe Mode Cmd Only (if you were to "start" a
file that's associated with the malware).

And that's before you consider other integration methods that may be
less buggy, and thus haven't drawn attention to themselves.


http://cquirke.mvps.org/whatmos.htm covers your maintenance OS
options, i.e. how to tackle malware that "owns" your system without
letting it run first. As the malware could be anywhere within the
infected HD and the chain of code that starts from boot, you'd want to
run NO code off that system at all, when scanning it.

Since I wrote that article, Bart PE has come to the foreground as THE
premier maintenance OS for XP.

MS offers zero for you in this regard, and their own WinPE is so
tightly licensed that hardly anyone uses it (or dares admit doing so -
which stifles public collaboration, development, forum support etc.)

Linux isn't safe to write to NTFS, plus it's hard work to learn
another large and complex OS just so that you can maintain some other
OS that can't wipe its own butt.

DOS mode is still useful, but only if you avoid NTFS and your HD stays
on the happy side of the 137G barrier.


The other option is to drop your HD into a clean PC and scan it from
there - that gives you full access to everything that runs in XP.

Trouble is, it's not enough to simply not boot infected code - you
also have to avoid running infected code as a side-effect of handling
"safe" material that is malformed to exploit itself into raw code
action. XP's not very smart on this, to put it mildly, and unlike a
Bart PE CDR, the host system is not read-only, and thus could be
infected by the drive you are trying to scan.

Links:

http://www.nu2.nu/pebuilder/

Forum support:

http://www.911cd.net/forums//index.p...showf orum=30

I ran McAfee virusscan and no problems were found.

shrug It's neck-deep in the infected OS. If it found a problem,
whether it fixed it or not, or if it died trying, that would tell you
something. If it says it can't find anything, that tells you less.

also installed and ran Spybot S&D and Adaware, but no problems were found.

You're still working within the infected OS, that's what undermines
any certainty there.

In addition to chasing malware, I'd:
- check the hardware (RAM, HD); DoA components happen
- check AutoChk/ChkDsk logs to see what was "fixed" (=corrupted)
- check av logs to see what was "cleaned" (may be corrupted too)
- review installations, looking for "DLL Hell" effects

But that code integration pointing to Temp really does focus the mind
on malware, and that looks the most likely factor.



-------------------- ----- ---- --- -- - - - -
Running Windows-based av to kill active malware is like striking
a match to see if what you are standing in is water or petrol.
-------------------- ----- ---- --- -- - - - -
Ads