Solved

can a virus survive a reformat??

Posted on 2004-10-10
16
651 Views
Last Modified: 2013-12-04
Hi there,

I'm completely stumpted. My girlfriend has picked up the slotch bar IVC adware nasty and last week i tried every thing to get rid of it. Symptoms:
1. regedit would not open
2. msconfig would not open
3. the shift/control/delete program manager only flashes up for a millisecond and then disappears
4. Internet is sending and receiving thousands of megabyes for no reason (without even turning internet explorer on)

So - I reformatted the hard drive (format c: not fdisk).
After reloading windows XP and reconnecting to the internet the same problems reappeared without even connecting to an internet site. Megabytes being transferred in and out without reason.
It seems as though someone (or something) has control of the computer. We cannnot connect to websites without very long delays - obviously because the band width is being used for some other purpose and any other program takes an age to load.
The system is relatively new:
Windows XP
pentium 4 - 1,7Mhz

Any ideas???
0
Comment
Question by:graeme57
  • 3
  • 2
  • 2
  • +6
16 Comments
 
LVL 65

Expert Comment

by:SheharyaarSaahil
Comment Utility
Hello graeme57 =)

Have a look at this site !!

Task Manager, MSCONFIG, or REGEDIT disappears while opening:
http://www.mvps.org/sramesh2k/ToolsQuit.htm
( site credit goes to Ramesh >> http://www.experts-exchange.com/M_926622.html :)

can u see those symptoms on ur machine ??
0
 
LVL 20

Expert Comment

by:Debsyl99
Comment Utility
Hi

I don't think it's likely a virus will survive a reformat. After a hard drive died completely that wasn't infected I had this problem not long ago when reformatting a pc and then installing xp. Is the XP install disk XP only without SP1 by any chance? On internet connection the pc was immediately infected by some virus or nasty that ate up the internet connection bandwidth that I believe was taking advantage of a massive microsoft security vulnerability. Either way dealing with this can be a pain,

You have a few choices, but either way your best bet is to get the os, sp1, relevant windows update patches and a decent av program on it asap with minimal internet connection. You can go for XP sp2 if you're brave enough but I wouldn't recommend it just yet due to the problems still around with it. Some pc's are fine, others have problems with it related to hardware and/or software.

Assuming that you haven't too much data on this pc as yet as you've just re-installed it, I'd suggest:

Reformat and re-install the os, then without internet connection, also install xp - sp1. You may have a separate disk with it on supplied with the pc's original installation disks, otherwise get it from the link below. You can either burn it to cd from another system, or load it onto a usb flash drive,
Windows XP Service Pack 1a Network Installation
http://www.microsoft.com/windowsxp/downloads/updates/sp1/network.mspx
Then immediately after installing sp1, go to windows update and get the rest of the patches from microsoft from the custom install option of windows update if you don't want sp2. Next get yourself a decent av software : This is pretty good and picks up trojans (spyware/malware) very well too (symantec/norton isn't doing too well at this right now). Fully functional 30 day eval copy here but make sure that you update it immediately:
PC-cillin Internet Security
http://www.trendmicro.com/download/product.asp?productid=32&show=pcprod
If you can do these you shouldn't have further problems, but post back what your situation is,

Deb :))
0
 
LVL 5

Expert Comment

by:Hypoviax
Comment Utility
Your system may have had a trogan. Formatting would have removed this, however the reoccurance of the problem may be due to a number of reasons:

-A hacker has your IP address and exploits a vunerability in your system and plants a trogan which closes the applications (or their windows) and allows him/her to add,move,delete files (the use of the bandwidth)
-Your software that you use (Windows OS, Office, games etc) may have a virus or trogan in them causing the reoccurance of the problem when you reinstall Windows.
-Windows had a number of flaws in it that allow hackers to remotely access and compromise your machine. If it has not been updated (which it would not have had after a reinstall) then this could most definetly be a cause (this is how the blaster worms worked)

Solving the problem:

1/ Install antivirus software if you havn't already (free one at www.grisoft.com)
2/ Install a good firewall (can block the connection of a trogan or the like ) - Zone alarm: www.zonelabs.com
3/ install anti-adware/spyware software : www.safer-networking.org & www.lavasoftusa.com

Hope this both explains and solves your problem

Regards,

Hypoviax
0
 
LVL 5

Expert Comment

by:Hypoviax
Comment Utility
Also get updates your system :)

The trouble is trying to get to those sites if your Internet is running slow.....

You will have to try and wait.....

Best Regards,

Hypoviax
0
 
LVL 3

Expert Comment

by:4ceReconSniper
Comment Utility
no a virus wont survive a reformat because a virus is also a data element stored in the storage a reformat destroys every element in the storage therefore even the virus would surely destroy, that is why virus that cannot be cleaned in antivirus software offers options to delete the file which is infected because it is the "ultimate" solution in a virus
0
 

Author Comment

by:graeme57
Comment Utility
Thanks to all replies.

Seems like most answers have their merits. The only possibility must be a compromised IP with an old copy of windows XP and the lurkers are able to automatically hack it immediately the internet connection opens.

This is the nastiest case of adware/trojan that I have encountered (and I've encountered a few). Once the computer is "registered" as vulnerable then you just cannot connect to internet or even use the system as there is no memory resource left.

My questions are:
1.What on earth are the hackers doing with all the system resource? Sending out emails? Tracking other vulnerable systems?
2. And how on earth do they justify the expense of setting such sophisticated operations up? does anyone really actually buy anything from them? or from the sites that they advertise?

Solutions: I am going to try the sp1 download (i have my own computer - the problem is with the girlfriends) in conjunction with a firewall and a different antivirus (currently using Norton - I have to say that it hasn't been very good at finding or dealing with adware - this particular compromise just turns it off - another one of the symptoms)

Then its the reformat followed by uploading all programs without internet.

I'll let you know how I get on.

Thanks for your help

Graeme (Madrid)
0
 
LVL 1

Expert Comment

by:Grinler-
Comment Utility
Download and run cwshredder from here:

http://www.bleepingcomputer.com/files/cwshredder.php

This should be able to remove the slotch.com hijacker.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 5

Expert Comment

by:Hypoviax
Comment Utility
>>>1.What on earth are the hackers doing with all the system resource? Sending out emails? Tracking other vulnerable systems?

There is a process that hackers use that involves hacking another more 'important' system from a compromised system that may be yours for example. This means that it is harder to trace the source of the hacker. If the hacker is doing this then they could be Stealing information from the 'more important' system. This would explain the bandwidth issue.

Similarly you are right, they could be a spammer using your system in a similar way to the abover mentioned example -> it makes it harder to track the real spammer because they are using a host of compromised machines

Thirdly i don't think many people buy from these guys but they make money from the advertisements, and so if they can get people to see, or click the ads then they are making money

MAKE SURE YOU ARE USING A FIREWALL

Regards,

Hypoviax
0
 
LVL 17

Expert Comment

by:Lobo042399
Comment Utility
Hi graeme,

Some virii hide a small portion of themselves in the Master Boot Record. If you're reformatting your HD, I would recommend that you do a complete FDISK operation. After that, on the command prompt, type FDISK \MBR. That switch will wipe the Master Boot Record in the drive.

After reinstalling your OS, my standard procedure is not to connect the machine to the Net or a network until an AV and Firewall have been installed. Only then, connect to the Net but only to run the AV Update. Disconnect from the Net and run a full system scan. Since only the OS and the AV/Firewall are installed, a full scan should take only a few minutes.

Then I would reconnect to the Net and run Windows Update.

That way, risk is minimized that any malicious software may reinfect the machine while it's still vulnerable.

Good Vibes!

Lobo
0
 
LVL 1

Expert Comment

by:Grinler-
Comment Utility
If the virusis in the master boot record, then you can just do :

fdisk /mbr

without having to reinstall and reformat.

Redoing the master boot record with the above command should wipe the virus.
0
 
LVL 20

Expert Comment

by:Debsyl99
Comment Utility
NO - don't run fdisk /mbr if you've just re-installed (although you shouldn't be able to just run it as is on an XP PC anyway)!
Please refer to these for future reference .
http://www.cknow.com/vtutor/vtfdiskmbr.htm
http:Q_20932058.html
Any decent virus program that's been updated should be able to deal with a boot sector virus if present, although I seriously do not believe that's what the problem is here,

Deb :))

0
 
LVL 17

Expert Comment

by:Lobo042399
Comment Utility
Graeme,

>>Norton - I have to say that it hasn't been very good at finding or dealing with adware

AdWare is a different beast to a virus, and a beast Norton is not designed to deal with. I would not trust any AV that claims to remove adware and spyware as well. To block adware and syware you need a good Firewall in place and, if you're gonna be using IE, also a good browser protection like the Immunize feature in Spybot S&D.

The behaviour you mention of shutting down Norton is typical of a trojan infection. In order to determine what is the nasty that is doing it I would run Process Explorer, and then use a combination of RegistrarLite and KillBox to remove the malware.

Good Vibes!

Lobo
0
 
LVL 3

Expert Comment

by:happythedog
Comment Utility
a) Yes if a virus ( such as Monkey) screws with the MBR it will survive a format
b) Bullguard is best AV
c) BlackIce is a good fw ( really should go nortel or cisco )
D) get firefox ( using ie is like inviting a virus to come in its got so many holes , goes for windows as well )
E) TDS-3 full system scan ( get the exe off of the website on your good machine burn to a CD-R and transport ) disconnect from internet till completed
____________________________________________________________________________________________________________________________________________
0
 

Accepted Solution

by:
modulo earned 0 total points
Comment Utility
PAQed with no points refunded (of 500)

modulo
Community Support Moderator
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now