My God this Virus is a Demon.

Factual Questions
1

Besides a hard drive and possibly RAM, where else can a virus be stored on a computer?? Somewhere on the motherboard perhaps?

I’ve completely reformatted and reinstalled Windows XP, and the virus is still there. I repeated the same process but removed then replaced the RAM chip before reinstalling. It is my understanding that RAM cannot store information without power, so removing it would whipe it clean…

This did not work either. Then I completely disassymbled this stupid laptop (Holy Crap, could they have used any more screws??!!!)
I was hoping to find a CMOS batter or something that I could take out to whipe out any stored information on the motherboard. I’m probably way out of my element here. But I didn’t find any battery on the motherboard. I took it apart into as many possible pieces I could. Then I put everything back together.
The virus is still here. But I can’t find it. All I can find are its effects. It creates files like “directs.exe” which I’ve learned is a known worm file.
I had my suspicions before with odd file creations like “bling”, “pwned”, “explerer”, “iexpIerer” etc.

Right now, out of nowhere, the following files have appeared:

In the C:\ directory:

xsttgg - an application with an IE icon
HideRun - an application with an unrecognized (to me) icon
iexplerer, iexpIerer, wexpIerer, - all with unrecognized icons
re11, re12 - both with registry icons
swed, swin, swef, - MS-DOS batch files
megshg, mghsese - applications with IE icons

Anything I delete from the various RUN, RUNONCE, RUN SERVICES, RU1N (sic), registry keys will return upon restart. Same as anything I disable in msconfig.
Further, msconfig and regedit appear to be disabled or blocked somehow. Because they will normally not open. If I delete enough stuff, I will be able to run msconfig or regedit temporarily. I’ll delete stuff and then it will all be back at restart and I will lose the ability to run regedit or msconfig.
Keep in mind this is on a fresh installation of Windows XP. After about three days of fighting this thing, I will be unable to do anything on this computer because it will be so slow and bogged down and the internet will no longer function. So I will have to reformat and reinstall everything again.

Any idea what I have or how to fix it?

Is this even possible? Or am I losing my mind???

2

Where did your WinXP disk come from? Did it come with the computer?

3

Good question. And in fact, I started to consider the CD after I posted. This particular CD is borrowed from a friend. Yes it is a burned copy, but I AM using my own WinXP Key Code. The one attached to the bottom of this laptop (So I am not pirating)
Though it is a borrowed CD, and it could possibly be infected itself, it would have to have the exact same infection this laptop originally started with before I whiped it out to start with.
That sentence doesnt make much sense. Basically, the laptop had a problem so I reinstalled Windows XP. I’ve lost the disk that came with her, so I borrowed a burned copy. After reinstalling, all the original problems are still present. So if the problem is now being caused by the CD, it would mean the CD has the exact same virus that my laptop had originally. Not impossible, but currently not likely. Especially since my friend has not noticed any issues.

On an aside, he isn’t running WIN XP, he is running 2000. So he might just have a virus infected copy of XP, and not know because he’s never ran it. . . But again, it would have to have the same thing I had earlier.
If there are no other thoughts or possibilities, I will go ahead and install WIN2000 on this thing and see if those files magically appear there too.

4

There is flash memory on the motherboard for the BIOS where an insidious virus might hide. Depending upon the virus, you might be able to reflash the memory. Otherwise, you’ll have to replace the memory or replace the motherboard.

5

If you still had it after all that - - are you constantly connected to the 'Net via a network or similar?? if so, disconnect when you do the following.

Something you could try - which I found out a few days ago ridding a computer of some annoying spyware - -

disable System Recovery before removing all the files etc…

to do this, right click on the My Computer icon, and go to System Recovery - - you can disable it there…

reboot in safe mode and then remove all the files…

after that run any virus removal, Spyware removal software you may have…

then reboot - and re-enable System recovery - in the same way you disabled it…

As long as you are not connected to any external source - and have definitely removed everything - there is no logical way that the virus can re-infect…

hope this helps…

Tales from the cryptic

6

Sounds like it might be a boot sector virus or similar; an ordinary wipe and reinstall might not do it - depending on the drive type and file system, the solution varies a bit and whenever you tinker with the drive at such a low level, you run the risk of rendering it inoperable.

7

Has this actually happened before?

8

Time to exorcise your warantee! :rolleyes:

9

http://www.google.com/search?sourceid=navclient&ie=UTF-8&q=bios+virus

10

It is likely that this was a file intentionally installed by my sister’s malicious roommate and not something downloaded by mistake. So ANYWHERE a virus could hide should be considered.

Punoqllads, how does one go about reflashing memory?

cryptic_j, I don’t know why I didn’t think about going into Safe Mode. At the very least it will allow me to access regedit and msconfig. Even if the changes aren’t permanent, it allows me to get it working for at least a little while.
The main problem is that I can only erase the changes this file is making. I don’t know where the changes are coming from.

In the software/microsoft/windows/current version of HKEY Current Users, HKEY Local Machine, and HKEY_User/Default, I had a RU1N file containing “directs.exe”
And I had RUN, RUN Once, Run Services, Run Services Once, all containing the following crap:

yosxbbynigsve
iexplore
netstun
syshelper
swef.bat
sdin
njerhe
localsrv

I was able to delete one or two of them from the System32 file. But I couldn’t even find the rest of them, even with file search. (Not counting ieplore)
The only place I could find anything close was in the Prefetch folder. What the hell is Prefetch for??

Also, peculiar is the fact that I can’t seem to get some things to dissappear from msconfig. They are unchecked and disabled, but I can’t get rid of them. In WIN98, I was always able to get rid of every listing under startup files.
I can’t get rid of:
hkcmd - even though I disbled this under display options
igfxtray - not sure what it is
msmsgs
swef
swin
stacmon
localsrv

Wont be long before I start seeing “bling” and “pwned” again…
Right now as I try to open regedit and msconfig, I realize nothing is fixed because they wont open.

Is sending this thing off to Dell my only option.

11

You’ve not said, unless I’ve missed it, whether you’ve attempted a virus scan?
If you’re able to go online, run Housecall

If that’s not an option, download and run Stinger

It’s somewhere to start.

12

Now that I think about it, putting it in the boot sector is probably much more likely than hiding it in the BIOS. A BIOS virus would have to be motherboard-specific.

13

Scrub the drive and install Linux, that’ll teach it.

14

The best way to get to the root of the problem is to download and install hijackthis. Run it, do a scan, then save the log. Then post the log here. I (or several others) can analyze the log and get right to the root of the problem.

15

It is very unlikely that you have virus hiding in notebook’s BIOS flash memory. The only thing that is normally going to survive a re-format is a boot sector virus (per Mangetout’s note), or if your notebook drive has a hidden partition containing setup files and drivers, it might be hiding there. You need to blow out your partitions, then re-partition, then format. If the virus survives that you need to call the Center for Disease control in Atlanta or check the XP install disk (and/or driver disks) you are using.

You can use a Win98 or WinME boot floppy image from here www.bootdisk.com to make a bootable floppy that can delete partitions, re-partition and then format the drive. Make sure the floppy you use to do this has the little write lock tab on the side of the floppy disk engaged, so the virus cannot write to it. When you re-install XP it will offer the option to do a NTFS format at that time. Choose yes to that option.

BTW just a head’s up, some people thing re-installing windows on top of a corrupted install “re-formats” the disk. It does not. It just replaces files. A true “format” is typically where you boot with a floppy (or a CD in some cases) and all data is scrubbed from the disk prior to the install of the OS. When you say you have done a “format” of the disk what specifically did you do?

16

After repartitioning I would advocate running fdisk mbr, then fdisking the drive to clear the master boot sector.

17

If you fully format and delete all the partitions, using MS utilities you may still leave a boot virus on your computer.

To fully “clean” your harddrive of any information you will need to write zeroes (0’s) to your disk. This is called a “low level format”. If you visit your drive manufaturers website they should have a utility to do this for you. If they don’t you can search google for “disk wipe utility” or “low level format”. You’'ll need to download this program to floppy and then boot to it.

Some of these utilities only write zeroes to the first 128 sectors on the drive. I would suggest getting a program that writes zeroes (or random data) to the entire drive. This helps to diagnose problems with sectors on the drive. Most of these prgram will first scan the drive for problems and attempt to repair any damaged sectors prior to writing zeroes. It’s a fantastic way to revive/diagnose damaged drives. It’s also a great way to “clean” data from drives. Some of these utilites will write random characters 25 times or more to your drive. Even CSI Miami wouldn’t be able to get any info from it.

18

I’ve had a few uglys loaded on my system and my usual remedy is to break out a fdsk floppy and remove all partitions. Then recreate the partition, do a format and re-install the OS from a known-good source. I usually use Win2K. Be damn sure the FDSK floppy is write-protected BEFORE you put it into the drive.
I think I’d try this before I started tearing the poor thing to bits.

Regards

Testy

19

Ummm…no.

Writing “zeros to your disk” to your disk is not a “low level format” of a IDE drive. A low level format is something specialized hardware at the factory does that actually defines the physical tracks for servo, sector layout, and defect management areas of the disk platter. So named “low level format” utilities are simply normal partition/format/data overwrite utiltiies.

Many drive manufs (deliberately it seems) use the term in sloppy way as a pacifier to let users think they are really getting into the nitty gritty of the drive. They are actually simply partitionting, formatting (high level), “zero fill” utilities. You are not alone in the confusion on this term BTW, there are many anti-virus and PC hardware articles on the web that use the term incorrectly.

Even Seagate acknowledges they are kinda-sorta playing word games and after putting “lowl evel format” in quotes start calling it a “Zero Fill” process.

From Seagate How Do I Low Level Format an ATA (IDE) Hard Drive

From Microsoft- see

Detailed Explanation of FAT Boot Sector

See also Low Level Format

20

There’s no “h” in wipe.