A Windows XP help forum. PCbanter

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Go Back   Home » PCbanter forum » Microsoft Windows XP » Security and Administration with Windows XP
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

Brand new Dell - already infected?



 
 
Thread Tools Display Modes
  #16  
Old August 17th 05, 04:10 PM
bryan
external usenet poster
 
Posts: n/a
Default

No. You could run Sophos and Trend Micro as a verification. The idea of
running in Safe
Mode is if there is an infector found and it is easy to remove in Safe Mode.
McAfee AV scan
found no viruses or non-viral malware -- that's good !

ok David. I will try Sophos and Trend tonight, although I do not have Sophos
or Trend on my pc. Only Mcafee VirusScan, Privacy and Firewall along with
Spywareblaster for prevention.

"David H. Lipman" wrote:

From: "bryan"

| Dave,
| Thank you for your help. I ran the scan for Mcafee in normal mode and
| here are the results:
|
| Scanning C: []
| Scanning C:\*.*
|
| Summary report on C:\*.*
| File(s)
| Total files: ........... 137953
| Clean: ................. 137808
| Possibly Infected: ..... 0
| Cleaned: ............... 0
| Non-critical Error(s): 2
| Master Boot Record(s): ......... 1
| Possibly Infected: ..... 0
| Boot Sector(s): ................ 1
| Possibly Infected: ..... 0
|
| Time: 00:24.49
|
| I ran the c:\AV_CLS\startmenu.BAT and then answered Y to run the scan.
| Should I repeat the same steps in safe mode?

No. You could run Sophos and Trend Micro as a verification. The idea of running in Safe
Mode is if there is an infector found and it is easy to remove in Safe Mode. McAfee AV scan
found no viruses or non-viral malware -- that's good !

{ BTW: 138,000 files in 25 mins. nice speed ;-) }

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Ads
  #17  
Old August 17th 05, 04:51 PM
David H. Lipman
external usenet poster
 
Posts: n/a
Default

From: "bryan"

| No. You could run Sophos and Trend Micro as a verification. The idea of
| running in Safe
| Mode is if there is an infector found and it is easy to remove in Safe Mode.
| McAfee AV scan
| found no viruses or non-viral malware -- that's good !
|
| ok David. I will try Sophos and Trend tonight, although I do not have Sophos
| or Trend on my pc. Only Mcafee VirusScan, Privacy and Firewall along with
| Spywareblaster for prevention.


Both the Trend Micro Sysclean and the Sophos command line scanner ar in the Multi AV scanner
utility I posted.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm


  #18  
Old August 17th 05, 04:53 PM
David H. Lipman
external usenet poster
 
Posts: n/a
Default

From: "bryan"

REPOST:



Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } three batch files, five Kixtart scripts, one Link
(.LNK) file, a PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
simplify the process of using; Sophos, Trend and McAfee Anti Virus Command Line Scanners to
remove
viruses, Trojans and various other malware.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode. This
way all the components can be downloaded from each AV vendor’s web site.
The choices are; Sophos, Trend, McAfee, Exit the menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

* * * Please report back your results * * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm


  #19  
Old August 18th 05, 12:09 AM
bryan
external usenet poster
 
Posts: n/a
Default

David,
I ran Sophos. Here are my results:

1 master boot record swept
47819 files swept
133 errors encountered
no viruses detected
112 encrypted files not checked.

I will run the last one (Trend) later tonight and post back). What do you
think of the results of Sophos? Thank you VERY VERY much for your help.
Bryan

"David H. Lipman" wrote:

From: "Leythos"

| In article ,
| says...
If you choose; McAfee, Trend or Sophos it will automatically go to the respective AV
vendor's web site and download the needed AV command line scanner and signature files.

|
| NO IT WONT - Mcrappy requires you to register the product and agree to a
| control being installed before you can get automatic updates. I've seen
| more McCrappy protected machines infected due to their now doing
| automatic updates without registration.
|
| --
|
|
| remove 999 in order to email me

Thaey are NOT MS updates. This is my own scripted front end to McAfee and Sophos' Command
Line Scanners and Trend Micro's Sysclean utility. If you run the script it will provide a
menu and if you choose a scanner module it will do as I indicated.

Give it a shot Leythos !

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



  #20  
Old August 18th 05, 01:09 AM
David H. Lipman
external usenet poster
 
Posts: n/a
Default

From: "bryan"

| David,
| I ran Sophos. Here are my results:
|
| 1 master boot record swept
| 47819 files swept
| 133 errors encountered
| no viruses detected
| 112 encrypted files not checked.
|
| I will run the last one (Trend) later tonight and post back). What do you
| think of the results of Sophos? Thank you VERY VERY much for your help.
| Bryan


Bryan:

With a McAfee and Sophos scan with nothing found, I think that says much.

The 133 errors are files that can't be opened for read such as password proteced files and
files that have their respective File Handles held open. It's 'Normal' operation.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm


  #21  
Old August 18th 05, 06:38 AM
bryan
external usenet poster
 
Posts: n/a
Default

Hi David,
Finished the 3rd scan (Trend) with good results again:
virus count: 0
virus clean count: 0
clean fail count: 0
As with Sophos, many files were 'denied access'. I did some homwork and
found something in the Microsoft KB which says that problems which sound
similar to mine occur due to monitor driver failure/incompatibility;

http://support.microsoft.com/default.aspx/kb/q218609/

Any ideas on how I should proceed? I would call Dell regarding the KB
article, but two calls to Dell Tech support yielded poor information. Looking
forward to your reply. It's 1:35am EDT (yawn). ONCE AGAIN, THANK YOU VERY
MUCH FOR YOUR EXPERTISE. Bryan

"David H. Lipman" wrote:

From: "bryan"

| David,
| I ran Sophos. Here are my results:
|
| 1 master boot record swept
| 47819 files swept
| 133 errors encountered
| no viruses detected
| 112 encrypted files not checked.
|
| I will run the last one (Trend) later tonight and post back). What do you
| think of the results of Sophos? Thank you VERY VERY much for your help.
| Bryan


Bryan:

With a McAfee and Sophos scan with nothing found, I think that says much.

The 133 errors are files that can't be opened for read such as password proteced files and
files that have their respective File Handles held open. It's 'Normal' operation.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



  #22  
Old August 18th 05, 04:01 PM
bryan
external usenet poster
 
Posts: n/a
Default

Leythos,
When Dell put this pc together, they gave me a version of XP sp2 with NO
security updates . I spent the entire evening loading 23 updates (Dell told
me to do them 1 at a time but could not explain to me why they did this).

"Leythos" wrote:

Do you realize that for all of the time you've spend, that you could
backup the files you created on your own and have restored the entire
computer in a known good state by wiping it and reinstalling everything.



In article ,
says...
Hi David,
Finished the 3rd scan (Trend) with good results again:
virus count: 0
virus clean count: 0
clean fail count: 0
As with Sophos, many files were 'denied access'. I did some homwork and
found something in the Microsoft KB which says that problems which sound
similar to mine occur due to monitor driver failure/incompatibility;

http://support.microsoft.com/default.aspx/kb/q218609/

Any ideas on how I should proceed? I would call Dell regarding the KB
article, but two calls to Dell Tech support yielded poor information. Looking
forward to your reply. It's 1:35am EDT (yawn). ONCE AGAIN, THANK YOU VERY
MUCH FOR YOUR EXPERTISE. Bryan

"David H. Lipman" wrote:

From: "bryan"

| David,
| I ran Sophos. Here are my results:
|
| 1 master boot record swept
| 47819 files swept
| 133 errors encountered
| no viruses detected
| 112 encrypted files not checked.
|
| I will run the last one (Trend) later tonight and post back). What do you
| think of the results of Sophos? Thank you VERY VERY much for your help.
| Bryan


Bryan:

With a McAfee and Sophos scan with nothing found, I think that says much.

The 133 errors are files that can't be opened for read such as password proteced files and
files that have their respective File Handles held open. It's 'Normal' operation.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm





--


remove 999 in order to email me

  #23  
Old August 18th 05, 05:51 PM
bryan
external usenet poster
 
Posts: n/a
Default

Although I am palanning to eventually move up to high-speed, I am still using
dial up. I would like to look at the information in the Microsoft KB article
which I alluded to in a previous post (although I would like to wait for
David's reply first). The article cites video card/driver incompatibility and
the symptoms sound somewhat similar to what I am experiencing.

http://support.microsoft.com/default.aspx/kb/q218609/

Thank you for your suggestions.

"Leythos" wrote:

In article ,
says...
Leythos,
When Dell put this pc together, they gave me a version of XP sp2 with NO
security updates . I spent the entire evening loading 23 updates (Dell told
me to do them 1 at a time but could not explain to me why they did this).


If you had XP + SP2, and you have a NAT router to act as a barrier for
your Internet connection (assuming you don't use Dial-Up), then opening
IE, selecting Tools, Windows Update, and letting it install all the
updates as it wants (meaning as many as it wants each time) is the
proper way to do it.

So, now that you've scanned your system with multiple AV tools, in safe
mode and not in safe mode, and they all show your machine as clean. What
problem remains with your system?

If it's still compromised, or you still have application that don't work
properly, or you really feel the OS is screwed up, then you would be
better off just wiping it and reinstalling everything.

If you were to install Windows XP + SP2 without doing it as an image
restore, meaning you are restoring it as though you bought XP from
BestBuy, it will take about 1 hour to install, then, you have to use the
Dell Drivers CD to install the drivers - about 30 minutes, then you have
to do the Windows Update process - about 30 minutes, then you can load
all your applications. Here's the kicker, if you are not on a protected
network (behind a NAT based system) and you've not secured the system
before you connect to the internet, you will be compromised all over
again.



--


remove 999 in order to email me

  #24  
Old August 18th 05, 08:43 PM
bryan
external usenet poster
 
Posts: n/a
Default

Leythos,
I am even LESS technical when it comes to this type of thing. I hope the
vendor's site is in the owners manual. Or how do I uninstall the current
driver? And when it asks me for the new driver what do I do? THe CD says
documentation so I assume that there are no drivers on the CD? Also, two
types of monitor connectors came with the Dell - a blue and a white. Dell
told me that one is for the older data type (which I am not using). Should I
try to switch lines?


"Leythos" wrote:

In article ,
says...
Although I am palanning to eventually move up to high-speed, I am still using
dial up. I would like to look at the information in the Microsoft KB article
which I alluded to in a previous post (although I would like to wait for
David's reply first). The article cites video card/driver incompatibility and
the symptoms sound somewhat similar to what I am experiencing.

http://support.microsoft.com/default.aspx/kb/q218609/

Thank you for your suggestions.


So, download the new/updated video driver from the video car vendors
site and install it in safe mode - or just uninstall the current driver
in safe mode and then it will ask you for the new driver when you reboot
in normal mode.

--


remove 999 in order to email me

  #25  
Old August 18th 05, 11:06 PM
bryan
external usenet poster
 
Posts: n/a
Default

I MAY HAVE FOUND THE PROBLEM. There is a program called Data Execution
Prevention (DEP). As stated (about 200 posts ago), my microsoft programs were
causing shutdown errors. Before I get the familiar 'Program has encountered a
problem and must close', I get a pop-up menu about DEP. Since I scanned with
about 6 different programs, I feel that my pc is clean, so I disabled DEP for
IE. And now everything works. My only question now is whether I can keep DEP
disabled for IE? Any ideas? Thanks

"Leythos" wrote:

In article ,
says...
Leythos,
I am even LESS technical when it comes to this type of thing. I hope the
vendor's site is in the owners manual. Or how do I uninstall the current
driver? And when it asks me for the new driver what do I do? THe CD says
documentation so I assume that there are no drivers on the CD? Also, two
types of monitor connectors came with the Dell - a blue and a white. Dell
told me that one is for the older data type (which I am not using). Should I
try to switch lines?


If you have to ask these questions and don't have a way to determine the
answer in a format that you can use - take the computer to a computer
shop and have them fix it - you will save time and get it back working.

I still don't know what your problem is and have not found far enough
back to see what you said it was:

What specifically is your EXACT problem?


--


remove 999 in order to email me

  #26  
Old August 19th 05, 12:49 AM
cquirke (MVP Windows shell/user)
external usenet poster
 
Posts: n/a
Default

bryan wrote:

I just purchased a new Dell Dimension 9100 (new line for Dell). I loaded
Mcafee VirusScan, Firewall and Privacy Service and then downloaded updates
for Mcafee. I also downloaded all critical Windows Security downloads.


OK

Everything is working fine except when I work with wordpad/notepad/word
or other Microsoft programs. At random, when I open these files


What files, i.e. do you mean particular data files, or those programs?

I recieve IE shutdown errors.


Do you mean "IExplore.exe has ... and will be shut down" dialog boxes?
Or BSoD STOP error screens?
Or do you mean Windows shuts down?

I created a new wordpad and notepad file, saved both and re-opened them:
everything seemed fine. Then I ran Windows Explorer and when I tried to
open the wordpad file with explorer, I received IE shutdown errors.


OK, that's always a good test. If starting the program, then going
File, Open and opening the data file that way, is OK - but "opening"
the file in Windows Explorer is not, then you have a file association
problem. Malware is a player in this space, in that patching into
commonly-used file associations is a great way to assert malware
activity without using the more obvious startup axis that is
suppressed in Safe Mode and manageable via MSConfig.

The error report included:
C:\DOCUME~1\HBT\LOCALS~1\Temp\WERed75.dir00\drwtsn 32.exe.mdmp
C:\DOCUME~1\HBT\LOCALS~1\Temp\WERed75.dir00\appcom pat.txt. The HBT directory
is one that was created when I first turned on my Dell


What's more interesting here is the LOCALS~1\Temp part, i.e. your user
account's Temp directory. That's an odd place to put code that you
ever want to see again, and it's odd to integrate code in such a,
well, temporary location (any number of things can clear Temp, and
thus break the integration). Smells like m-a-l-w-a-r-e to me :-(

The errors do not seem to take place along any specific pattern which
makes this reek of malware. Any advice would be greatly appreciated.


Even "argh that's too difficult" advice?

OK, the "easy" advice is to trust Safe Mode to suppress the malware,
and run your antivirus from there. When that works (which is a lot of
the time) it will be because the malware simply isn't trying that hard
to retain control of your PC.

But we already suspect the malware's smart enough to patch into the
file associations, and thus is likely to be active in Safe Mode too -
potentially including Safe Mode Cmd Only (if you were to "start" a
file that's associated with the malware).

And that's before you consider other integration methods that may be
less buggy, and thus haven't drawn attention to themselves.


http://cquirke.mvps.org/whatmos.htm covers your maintenance OS
options, i.e. how to tackle malware that "owns" your system without
letting it run first. As the malware could be anywhere within the
infected HD and the chain of code that starts from boot, you'd want to
run NO code off that system at all, when scanning it.

Since I wrote that article, Bart PE has come to the foreground as THE
premier maintenance OS for XP.

MS offers zero for you in this regard, and their own WinPE is so
tightly licensed that hardly anyone uses it (or dares admit doing so -
which stifles public collaboration, development, forum support etc.)

Linux isn't safe to write to NTFS, plus it's hard work to learn
another large and complex OS just so that you can maintain some other
OS that can't wipe its own butt.

DOS mode is still useful, but only if you avoid NTFS and your HD stays
on the happy side of the 137G barrier.


The other option is to drop your HD into a clean PC and scan it from
there - that gives you full access to everything that runs in XP.

Trouble is, it's not enough to simply not boot infected code - you
also have to avoid running infected code as a side-effect of handling
"safe" material that is malformed to exploit itself into raw code
action. XP's not very smart on this, to put it mildly, and unlike a
Bart PE CDR, the host system is not read-only, and thus could be
infected by the drive you are trying to scan.

Links:

http://www.nu2.nu/pebuilder/

Forum support:

http://www.911cd.net/forums//index.p...showf orum=30

I ran McAfee virusscan and no problems were found.


shrug It's neck-deep in the infected OS. If it found a problem,
whether it fixed it or not, or if it died trying, that would tell you
something. If it says it can't find anything, that tells you less.

also installed and ran Spybot S&D and Adaware, but no problems were found.


You're still working within the infected OS, that's what undermines
any certainty there.

In addition to chasing malware, I'd:
- check the hardware (RAM, HD); DoA components happen
- check AutoChk/ChkDsk logs to see what was "fixed" (=corrupted)
- check av logs to see what was "cleaned" (may be corrupted too)
- review installations, looking for "DLL Hell" effects

But that code integration pointing to Temp really does focus the mind
on malware, and that looks the most likely factor.



-------------------- ----- ---- --- -- - - - -

Running Windows-based av to kill active malware is like striking
a match to see if what you are standing in is water or petrol.
-------------------- ----- ---- --- -- - - - -

  #27  
Old August 19th 05, 12:58 AM
cquirke (MVP Windows shell/user)
external usenet poster
 
Posts: n/a
Default

On Wed, 17 Aug 2005 12:16:17 GMT, Leythos wrote:
says...


When I installed Mcafee, I registered the product and downloaded ALL updates.
I am completely up-to-date with Mcafee. Sorry, I thought I had mentioned that
in my original post. Thanks. Now what do I do?


If your machine is compromised there is only one way to ensure it's
clean - load the system restore CD's and wipe everything. When we have
to certify that a machine is clean, we wipe the drive and reinstall from
scratch, that's the only way to be sure. No matter how many AV scan's
you run, no matter how many spyware tools you use, they are all
"reactionary", meaning they don't always have a cure until it's already
been in the wild and exposed.


Ah, a favorite myth, this.

Not that you know a PC is clean because you scanned it; sure, there's
always some doubt there. The myth is that you can take a PC that has
FAILED to defend itself, wipe and rebuild it to the same level of
exploitability (or considerably more so, thanks to lost patches and
duhfault settings), and assume that won't get infected the same way.

If you never bothered to detect the malware, and thus haven't a clue
how it got in, then what are you doing differently with the rebuild
that's going to make any difference?

If you want it clean, wipe it and start over - this time get a NAT
device connected before you start, and don't surf anywhere until you get
all of the Windows Updates and your AV software installed - and Use
FireFox as a browser from now on.


Those steps will help, but it's still worth finding out what it is
that you are dealing with, before you wipe away the information that
could have provided that information.

If you're up against a human adversary, then they gain the upper hand;
when your PC vanishes and comes back clean, they know you found out
there was a problem, and they'll be stealthier next time. Whereas
you've learned nothing, and made it impossible to learn anything,
about what your assailant was up to.

Also - that "data" you restored after wiping and starting over; how
sure are you that it is free of malware that can re-spawn?


-- Risk Management is the clue that asks:

"Why do I keep open buckets of petrol next to all the
ashtrays in the lounge, when I don't even have a car?"
----------------------- ------ ---- --- -- - - - -

  #28  
Old August 19th 05, 02:24 AM
cquirke (MVP Windows shell/user)
external usenet poster
 
Posts: n/a
Default

On Thu, 18 Aug 2005 13:33:29 GMT, Leythos wrote:

Do you realize that for all of the time you've spend, that you could
backup the files you created on your own and have restored the entire
computer in a known good state by wiping it and reinstalling everything.


Two things:

1) It takes longer, the more you do during the install.

Not all of us are content to live with duhfaults, and it can be quite
difficult to find automated ways of doing things that one knows how to
do on an interactive basis. So that makes it longer to rebuild.

2) It takes longer to troubleshoot a recurrance

If you "just" wipe and re-install everything, and then promptly get
re-infected, then what are you going to do - what I did in the first
place? Or are you going to live "Groundhog Day" forever?

If I have to spend time, and can do so in two different ways, I'll
choose the way that teaches me something, and that makes it less
likely for me to have to fight the same battle all over again ;-)



------------------------ ---- --- -- - - - -

Forget http://cquirke.blogspot.com and check out a
better one at http://topicdrift.blogspot.com instead!
------------------------ ---- --- -- - - - -

  #29  
Old August 19th 05, 02:32 AM
cquirke (MVP Windows shell/user)
external usenet poster
 
Posts: n/a
Default

On Thu, 18 Aug 2005 15:06:06 -0700, "bryan"

I MAY HAVE FOUND THE PROBLEM. There is a program called Data Execution
Prevention (DEP).


Ah! OK - are you on an AMD processor that supports DEP?

DEP isn't a program as such; it's a capability built into some
processors, starting with AMD and now with Intel playing catch-up. XP
understands DEP, starting with SP2 (pre-SP2 had no DEP awareness).

What DEP does, is to bring back an old concept; that data and
instructions should be kept separate, so that data is never executed
as processor instructrions. This kills a common exploit pattern,
where code is contained within malformed data that overruns beyond
where it should be, causing the system to run it as code.

The trouble is, some programs fall foul of this - especially some
antivirus apps that may "sample" material as code to assess it for
potentially malicious behavior.

You can disable SP2's DEP awareness via a parameter entered after the
partition OS loader line in C:\Boot.ini, or add a copy of that line
with the parameter added, so you can choose which mode to start up
with. But do research that syntax carefully; a botched C:\BOOT.INI
can prevent XP from booting at all, and that's bad news on NTFS.



--------------- ----- ---- --- -- - - -

Who is General Failure and
why is he reading my disk?
--------------- ----- ---- --- -- - - -

  #30  
Old August 19th 05, 05:34 AM
bryan
external usenet poster
 
Posts: n/a
Default

Good Evening,
Right-on Cquirke regarding your point #2: reinstalling would have
resulted in spinning my wheels since I strongly felt that the problem was on
the computer 'out of the box' - which it was. I followed the help file
instructions in order to disable DEP for IE. Everything is now working -
even Access. Before disabling DEP, I created a 3 line wordpad file consisting
of ABC, testing and 123. DEP even shutdown this file. ONE QUESTION REGARDING
DAVID's AV arsenal: If I need to run this series of AV programs in the future
(I hope not!!!!!), should I re-download the files in order to get the latest
definitions? Thanks again to all of you. Bryan

"cquirke (MVP Windows shell/user)" wrote:

bryan wrote:


I just purchased a new Dell Dimension 9100 (new line for Dell). I loaded
Mcafee VirusScan, Firewall and Privacy Service and then downloaded updates
for Mcafee. I also downloaded all critical Windows Security downloads.


OK

Everything is working fine except when I work with wordpad/notepad/word
or other Microsoft programs. At random, when I open these files


What files, i.e. do you mean particular data files, or those programs?

I recieve IE shutdown errors.


Do you mean "IExplore.exe has ... and will be shut down" dialog boxes?
Or BSoD STOP error screens?
Or do you mean Windows shuts down?

I created a new wordpad and notepad file, saved both and re-opened them:
everything seemed fine. Then I ran Windows Explorer and when I tried to
open the wordpad file with explorer, I received IE shutdown errors.


OK, that's always a good test. If starting the program, then going
File, Open and opening the data file that way, is OK - but "opening"
the file in Windows Explorer is not, then you have a file association
problem. Malware is a player in this space, in that patching into
commonly-used file associations is a great way to assert malware
activity without using the more obvious startup axis that is
suppressed in Safe Mode and manageable via MSConfig.

The error report included:
C:\DOCUME~1\HBT\LOCALS~1\Temp\WERed75.dir00\drwtsn 32.exe.mdmp
C:\DOCUME~1\HBT\LOCALS~1\Temp\WERed75.dir00\appcom pat.txt. The HBT directory
is one that was created when I first turned on my Dell


What's more interesting here is the LOCALS~1\Temp part, i.e. your user
account's Temp directory. That's an odd place to put code that you
ever want to see again, and it's odd to integrate code in such a,
well, temporary location (any number of things can clear Temp, and
thus break the integration). Smells like m-a-l-w-a-r-e to me :-(

The errors do not seem to take place along any specific pattern which
makes this reek of malware. Any advice would be greatly appreciated.


Even "argh that's too difficult" advice?

OK, the "easy" advice is to trust Safe Mode to suppress the malware,
and run your antivirus from there. When that works (which is a lot of
the time) it will be because the malware simply isn't trying that hard
to retain control of your PC.

But we already suspect the malware's smart enough to patch into the
file associations, and thus is likely to be active in Safe Mode too -
potentially including Safe Mode Cmd Only (if you were to "start" a
file that's associated with the malware).

And that's before you consider other integration methods that may be
less buggy, and thus haven't drawn attention to themselves.


http://cquirke.mvps.org/whatmos.htm covers your maintenance OS
options, i.e. how to tackle malware that "owns" your system without
letting it run first. As the malware could be anywhere within the
infected HD and the chain of code that starts from boot, you'd want to
run NO code off that system at all, when scanning it.

Since I wrote that article, Bart PE has come to the foreground as THE
premier maintenance OS for XP.

MS offers zero for you in this regard, and their own WinPE is so
tightly licensed that hardly anyone uses it (or dares admit doing so -
which stifles public collaboration, development, forum support etc.)

Linux isn't safe to write to NTFS, plus it's hard work to learn
another large and complex OS just so that you can maintain some other
OS that can't wipe its own butt.

DOS mode is still useful, but only if you avoid NTFS and your HD stays
on the happy side of the 137G barrier.


The other option is to drop your HD into a clean PC and scan it from
there - that gives you full access to everything that runs in XP.

Trouble is, it's not enough to simply not boot infected code - you
also have to avoid running infected code as a side-effect of handling
"safe" material that is malformed to exploit itself into raw code
action. XP's not very smart on this, to put it mildly, and unlike a
Bart PE CDR, the host system is not read-only, and thus could be
infected by the drive you are trying to scan.

Links:

http://www.nu2.nu/pebuilder/

Forum support:

http://www.911cd.net/forums//index.p...showf orum=30

I ran McAfee virusscan and no problems were found.


shrug It's neck-deep in the infected OS. If it found a problem,
whether it fixed it or not, or if it died trying, that would tell you
something. If it says it can't find anything, that tells you less.

also installed and ran Spybot S&D and Adaware, but no problems were found.


You're still working within the infected OS, that's what undermines
any certainty there.

In addition to chasing malware, I'd:
- check the hardware (RAM, HD); DoA components happen
- check AutoChk/ChkDsk logs to see what was "fixed" (=corrupted)
- check av logs to see what was "cleaned" (may be corrupted too)
- review installations, looking for "DLL Hell" effects

But that code integration pointing to Temp really does focus the mind
on malware, and that looks the most likely factor.



-------------------- ----- ---- --- -- - - - -

Running Windows-based av to kill active malware is like striking
a match to see if what you are standing in is water or petrol.
-------------------- ----- ---- --- -- - - - -


 




Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
DELL goes down hill. Richard Goh General XP issues or comments 49 July 18th 05 05:15 AM
Reformatting a Dell Dimension 4550 Cbarton Windows XP Help and Support 14 February 13th 05 06:15 PM
new dell won't allow dialup after xp upgrade elaith Windows XP Help and Support 2 November 24th 04 05:49 PM
Infected files T Security and Administration with Windows XP 2 September 2nd 04 04:00 AM
XP SP2 worked great. The Celtic Warrior Windows Service Pack 2 5 August 23rd 04 04:39 AM






All times are GMT +1. The time now is 10:53 PM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright ©2004-2024 PCbanter.
The comments are property of their posters.