Sorry for the confusion. I used the term “low level format” interchangeably with “writing zeroes”. My bad. I guess I’ve gotten into the habit of using both to describe the same thing. :dubious:
Again, If you fully format and delete all the partitions, using MS utilities you may still leave a boot virus on your computer. You must WRITE ZEROES to the drive to fully erase 100% of the data on your drive.
Here are some free tools from Sysinternals that will give you more power of your computer in your time of need. From experience, using these tools you can track down and eliminate pretty much any nasty bug. And if you happen upon a virus that wants to shutdown your computer, just do start > run > shutdown -a .
[ul]
[li]"This utility captures all hard disk activity or acts like a software disk activity light in your system tray. "[/li][li]"This monitoring tool lets you see all file system activity in real-time. It works on all versions of WinNT/2K/XP, Windows 9x/Me, Windows XP 64-bit Edition, and Linux.[/li][li]"Find out what files, registry keys and other objects processes have open, which DLLs they have loaded, and more. This uniquely powerful utility will even show you who owns each process. (souped up Task Manager that will end a task when you tell it to)[/li][li]"This monitoring tool lets you see all Registry activity in real-time. It works on all versions of WinNT/2K, Windows 9x/Me and Windows 64-bit. "[/li][li]"See what programs are configured to startup automatically when your system boots and you login. Autoruns also shows you the full list of Registry and file locations where applications can configure auto-start settings. (with this you can get rid of those entries listed in msconfig)[/li][li]And many, many more[/li][/ul]
For some control over and visualization of the boot process you can try bootvis.exe developed by Microsoft “for System Manufacturers.” They don’t offer it for download, but you can get it here.
Thanks for all the information guys. The virus is getting bigger and smarter. I couldn’t even use Safe Mode to open regedit anymore. A program, winupd.exe would magically appear and close msconfig or regedit.
Daizy thank you for that Stinger link. I could not get HouseCall to completely download so I used Stinger. Here is my log from the first time I ran it.
Number of clean files: 14417
Number of infected files: 69
Number of files repaired: 399
Number of files deleted: 68
I was going to post the whole log, but it made my post 76,000 characters and we have to keep it under 20,000. I’ll post a part of it next.
I had to run it like a dozen more times and then even manually delete some things. But guess what, new stuff automatically appears out of no where. I could run that program and everything will be clean. And then, five minutes later, there will be viruses again. It’s so wierd!!!
RealityChuck I can’t get HijackThis to even start downloading. I wonder if this is because of the supersmart virus or just because their website is down or something.
astro, no I completely reformatted. I booted from the WinXP cd, deleted the current partition. Then recreated one using NTSF file system, and then formatted the drive. Not the quick format either.
One strange thing though, is I was left with 8mb of unformatted/unpartitioned disk space. Is this normal for XP or NTSF or something? Or is this the root of the problem?
MyGlaren and absoul, I will sit down and try those things soon when I have time. Thanks for the info.
alterego, thanks for those links. I unstalled the Process Explorer. I had that on my other computer but I couldn’t figure out where I downloaded it. It’s a great program. But for now, it only lets me Kill the programs as the try to run. But they keep coming. It’s like the Mole game at the carnival.
It is, however, allowing me to use this computer in the meantime. I have to keep Killing things with Process Explorer, but at least the problem is manageable.
One strange thing, though. Some files do not show up in Process Explorer but they do show up on Task Manager. mscommx and winapa are two that come to mind.
I will keep you all updated.
Scan initiated on Sat Sep 25 18:58:39 2004
C:\WINDOWS\System32\vdvpym.exe
Found the W32/Sdbot.worm.gen.j virus !!!
C:\WINDOWS\System32\vdvpym.exe has been deleted.
C:\WINDOWS\System32\winupd.exe
Found the W32/Bagle.n@MM virus !!!
C:\WINDOWS\System32\winupd.exe has been deleted.
C:\WINDOWS\System32\svchosting.exe
Found the W32/Sdbot.worm.gen.t virus !!!
C:\WINDOWS\System32\svchosting.exe has been deleted.
C:\Dell\Drivers\R50830\Setup.exe
Found the W32/Bagle.q virus !!!
C:\Dell\Drivers\R50830\Setup.exe has been repaired.
C:\Dell\Drivers\R56939\Graphics\Setup.exe
Found the W32/Bagle.q virus !!!
C:\Dell\Drivers\R56939\Graphics\Setup.exe has been repaired.
C:\Dell\Drivers\R56939\Graphics\Win2000\hkcmd.exe
Found the W32/Bagle.q virus !!!
C:\Dell\Drivers\R56939\Graphics\Win2000\hkcmd.exe has been repaired.
C:\Dell\Drivers\R56939\Graphics\Win2000\igfxcfg.exe
Found the W32/Bagle.q virus !!!
C:\Dell\Drivers\R56939\Graphics\Win2000\igfxcfg.exe has been repaired.
C:\Dell\Drivers\R56939\Graphics\Win2000\igfxdiag.exe
Found the W32/Bagle.q virus !!!
C:\Dell\Drivers\R56939\Graphics\Win2000\igfxdiag.exe has been repaired.
C:\Dell\Drivers\R56939\Graphics\Win2000\igfxext.exe
Found the W32/Bagle.q virus !!!
C:\Dell\Drivers\R56939\Graphics\Win2000\igfxext.exe has been repaired.
C:\Dell\Drivers\R56939\Graphics\Win2000\igfxtray.exe
Found the W32/Bagle.q virus !!!
C:\Dell\Drivers\R56939\Graphics\Win2000\igfxtray.exe has been repaired.
C:\Documents and Settings\Administrator\Local Settings\Temp\mun3.exe
Found the W32/Bagle.q virus !!!
C:\Documents and Settings\Administrator\Local Settings\Temp\mun3.exe has been repaired.
C:\Program Files\AIM\aimauto.exe
Found the W32/Bagle.q virus !!!
C:\Program Files\AIM\aimauto.exe has been repaired.
C:\Program Files\AIM\Patcher.exe
Found the W32/Bagle.q virus !!!
C:\Program Files\AIM\Patcher.exe has been repaired.
C:\Program Files\AIM\SendFile.exe
Found the W32/Bagle.q virus !!!
C:\Program Files\AIM\SendFile.exe has been repaired.
C:\Program Files\AIM\ShareFile.exe
Found the W32/Bagle.q virus !!!
C:\Program Files\AIM\ShareFile.exe has been repaired.
C:\Program Files\AIM\Sysfiles\AIMBarInstall.exe
Found the W32/Bagle.q virus !!!
C:\Program Files\AIM\Sysfiles\AIMBarInstall.exe has been repaired.
C:\Program Files\AIM\Sysfiles\AIMWDInstall.exe
Found the W32/Bagle.q virus !!!
C:\Program Files\AIM\Sysfiles\AIMWDInstall.exe has been repaired.
C:\Program Files\AIM\Sysfiles\AIMWDUninstall.exe
Found the W32/Bagle.q virus !!!
C:\Program Files\AIM\Sysfiles\AIMWDUninstall.exe has been repaired.
C:\Program Files\AIM\Sysfiles\AolOnDesktop.exe
Found the W32/Bagle.q virus !!!
C:\Program Files\AIM\Sysfiles\AolOnDesktop.exe has been repaired.
C:\Program Files\AOD\AolAod.exe
Found the W32/Bagle.q virus !!!
C:\Program Files\AOD\AolAod.exe has been repaired.
C:\Program Files\Common Files\Microsoft Shared\ACDSee 9.exe
Found the W32/Bagle.t@MM virus !!!
C:\Program Files\Common Files\Microsoft Shared\ACDSee 9.exe has been deleted.
C:\Program Files\Common Files\Microsoft Shared\Adobe Photoshop 9 full.exe
Found the W32/Bagle.t@MM virus !!!
…And it goes on like that forever. It also finds some trojans and some worms.
You are doing a clean install of XP right? You will need to completely update your computer, ideally, before you even connect to the Internet. There are so many vulnerabilities in XP. I believe the latest statistic is that an unpatched computer connected to the Internet has only a 20 minute time-to-live before it catches a virus. That is how fast the viruses that are already in the wild are randomly cycling through every single IP address.
If you can stay connected long enough, download service pack 2 and save it to a separate cd. Unconnect your computer, go through your complete wipe / reinstall of XP and before you connect to the Internet again install service pack 2. Then open up the built in windows firewall that comes with SP2 and don’t allow anything except port 80, and go into Internet Explorer > Tools > Internet Options and set THE ONLY site you trust to be www.windowsupdate.com. You get the idea? You might also want to put on that CD some of the free spyware/virus scannner programs you are utilizing and run them before you connect to the Internet.
From my experience and from what you have described it seems that either a) the virus is on your CD or b) you are probably getting this virus as soon as you become connected to the Internet.
Alternatively, depending on how much your time is worth to you, you could call microsoft and explain the situation to them. So long as you have your serial number on your laptop they may be willing to work with you to get you a new CD, but I don’t have experience with that.
FWIW if I had to bet, I’d say it’s damned unlikely you have a boot sector virus. They were a big deal several years ago, but are are relatively rare on modern PCs, and even if present are not generating backdoor network viruses like the one you are infected with (Bagle.q virus).
I’d be willing to wager that
1: Some disk you are using in the OS install process is infected (driver floppy, CD whatever)
2: If you are on network (even a small home network) some other PC is dumping the virus to your PC
3: You are saving your emails and one of them is infected with the virus
4: One of your friends is infected and when you open an email they send, you get re-infected all over again. It’s happening so quickly it seems as if the virus is resident on your system.
My main bet would be #4 in some form or fashion
Aha! A key bit of information. This is probably one of the spybot viruses that shut down any virus scanning software, including hijackthis. I’ve written up some instructions on it here.
You need to kill the process. A list of variants is on the web page. Press Ctrl-Alt-Delete and see if you have any of them.
If Ctrl-Alt-Delete closes, download taskkill from the same page. That will let you kill the task.
There’s also Jay Loden’s AIMfix cleaning tool. I haven’t tested it myself, but it may be the solution.
In any case, once you’ve killed the process, you’re home free; a scan will now be able to clean the virus. Or you could run hijackthis and get instruction. Or you can manually delete the file that was running.
I recently fixed a Dell computer for a family member. Using the WinXP cd, deleting the partition, etc. did NOT completely reformat the drive. All files specific to windows were replaced, however, the other files I had were untouched. What I did was call Dell, and told them I wanted to completely wipe eveything off, and start fresh becauses it was filled with viruses. The lady on the other end said she’d walk me through the steps to a “zero zero zero” state… she had me boot with the Dell Resource CD, and then I typed in commands she gave me, read back to her a list of numbers, etc., then given a new command to enter. I think that this is the only way to really re-format a Dell computer, as no other methods I tried work. I really recommend calling them, and make sure you activate the windows firewall (and any virus scanner) before you reconnect to the internet.
Thanks for the info everyone. I think this is most likely what alterego is describing. It makes the most sense from what I’ve experienced with this.
Would I have this problem if I installed a fresh copy of Win2000 instead of XP?
Oh, and I would also scan that XP CD you are using for viruses. But first, I’d try to find another Dell user who owns a legal copy of the software.
a slight highjack:
this bit of code and text :
<td class=“alt1Active” id=“t277559” title="Besides a hard drive and possibly RAM, where else can a virus be stored on a computer?? Somewhere on the motherboard perhaps? I’ve completely reformatted and reinstalled Windows XP, and the virus is still there. I repeated the same process but removed
was displayed on my browser page in the (normally) white space under the message board navigation links. Gave me a “Twilight Zone moment”
If you hear hoofbeats, think horses, not zebras. Everybody seems awful eager to jump on some bit of misheard lore from years back about a mythical virus that could not be cleansed. I very much doubt what most of you are proposing is even possible let alone likely. Most likely, the OP is doing something boneheaded without realising it and letting the virus into the system. Or maybe he left it awhile and a family member has gone and downloaded thier favourite bonzai buddy type app which happens to be infected.
Did you read the entire thread befoe posting?
alterego is the winner. I visited Windows Update, but it never worked. Problem was, I was getting there too late. The viruses would infect and then prevent me from updating. But I did not realize the update was actually necessary to defend against the viruses. . .
So I downloaded the Pack. Unplugged the cable modem. Cleaned all the viruses. Installed the Service Pack, and then reconnected. Everything works great. No magically appearing viruses created from “thin air” or some file stored in crazy areas of my hard drive or motherboard. I didn’t even have to reinstall Windows.
I can’t believe I had this computer COMPLETELY disassymbled. And I still have no idea why there are screws left over.
I have never XPerienced this sort of thing before. I had no idea that XP was so damn vulnerable. It actually still makes little sense to me. What were people doing before the Service Packs were made? Why is XP more vulnerable than previous Windows? I understand it has something to do with ease of use or network integration or some crap. But to just make the OS that vulnerable to the point where a firewall is necessary to defend against free-range viruses. I don’t get it. What were they thinnking.
I’ve used WIN98 and 2000 a ton. I’ve never had a virus problem like that. I didn’t have a firewall and, though I had McAfee installed, I never ran it. I was pretty aware of the threat of viruses and worms. I dont use Outlook or Outlook Express and I don’t download suspect email attachments. That’s pretty much worked as adequate virus protection for years.
But now I need some service pack and a firewall simply because an OS is so advanced it is dangerous? It seems to me, with a problem like that, programmers would have accounted for those issues and fixed the problem before release of XP - no Service Pack necessary.
:sigh: I don’t get it.
Thanks for all of you help everyone.
If I wasn’t founder of the IIDU, I might be embarrassed by this thread.
It probably sounds boneheaded to everyone else. But I was unaware that successfully installing an OS and then simply plugging a network cable into it was so harmful. I hadn’t even opened a browser before the viruses started manifesting. I was sure it was an issue with the computer.
It is definitely counter-intuitive so I wouldn’t feel bad. It also brings up some ethical issues that Microsoft really needs to face. I don’t see how they can charge hundreds of dollars for software that takes advantage of their users. I am rather computer savvy yet I had this same thing happen to me in Italy. There just happened to be a computer out there scanning my block on the IP range. When you’re on dialup, this is a nasty issue 
Posting in mutual sympathy, glad you got your computer fixed. I have recently fought some serious virus/spyware battles like you describe. My notebook at home took me a full weekend non-stop, one nasty thing this particular virus did was to kill the WinXP file-search function, so it is impossible to do a file search of your hard disk, evil bugger. The virus is finally dead, but I still can’t search files, I’ll have to do a ground-up reinstall to fix, which will take another weekend.
Some virus-fighting tips for folks…
In addition to other software mentioned, TaskMan.exe is very useful at identifying lurking processes.
One way I’ve found to neuter viruses that always seem to reinstall themselves is to find the virus file, then right-click properties, and deny it executable priveleges to all users. The virus is there which fools it from being reinstalled, but it can never execute itself to actually run.
Lastly, I finally got fed up with WinXP and have switched to Linux at home, I highly recommend trying it out for a spin, you can add a second partition for Linux on your PC to install itself and dual-boot, so you don’t risk losing your Windows install if something doesn’t work right. The only thing I’m missing is some game compatability, but most of the major mainstream games are able to run.
Hey GargoyleWB ?
Try seeing if this fixes it:
Log on as an Administrator
Click Start
Select Run
Enter in the command - %systemroot%\inf
Right-click the Srchasst.inf file
Click Install
Might be worth a try?
You might be able to fix the problem by booting ffrom the XP CD and using the “Install>Repair” option vs the “Repair” option.
Method illustrated below saved my ass a few weeks ago -