[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

can a virus survive a reformat??

Posted on 2004-10-10
16
Medium Priority
?
662 Views
Last Modified: 2013-12-04
Hi there,

I'm completely stumpted. My girlfriend has picked up the slotch bar IVC adware nasty and last week i tried every thing to get rid of it. Symptoms:
1. regedit would not open
2. msconfig would not open
3. the shift/control/delete program manager only flashes up for a millisecond and then disappears
4. Internet is sending and receiving thousands of megabyes for no reason (without even turning internet explorer on)

So - I reformatted the hard drive (format c: not fdisk).
After reloading windows XP and reconnecting to the internet the same problems reappeared without even connecting to an internet site. Megabytes being transferred in and out without reason.
It seems as though someone (or something) has control of the computer. We cannnot connect to websites without very long delays - obviously because the band width is being used for some other purpose and any other program takes an age to load.
The system is relatively new:
Windows XP
pentium 4 - 1,7Mhz

Any ideas???
0
Comment
Question by:graeme57
  • 3
  • 2
  • 2
  • +6
14 Comments
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 12273341
Hello graeme57 =)

Have a look at this site !!

Task Manager, MSCONFIG, or REGEDIT disappears while opening:
http://www.mvps.org/sramesh2k/ToolsQuit.htm
( site credit goes to Ramesh >> http://www.experts-exchange.com/M_926622.html :)

can u see those symptoms on ur machine ??
0
 
LVL 20

Expert Comment

by:Debsyl99
ID: 12273368
Hi

I don't think it's likely a virus will survive a reformat. After a hard drive died completely that wasn't infected I had this problem not long ago when reformatting a pc and then installing xp. Is the XP install disk XP only without SP1 by any chance? On internet connection the pc was immediately infected by some virus or nasty that ate up the internet connection bandwidth that I believe was taking advantage of a massive microsoft security vulnerability. Either way dealing with this can be a pain,

You have a few choices, but either way your best bet is to get the os, sp1, relevant windows update patches and a decent av program on it asap with minimal internet connection. You can go for XP sp2 if you're brave enough but I wouldn't recommend it just yet due to the problems still around with it. Some pc's are fine, others have problems with it related to hardware and/or software.

Assuming that you haven't too much data on this pc as yet as you've just re-installed it, I'd suggest:

Reformat and re-install the os, then without internet connection, also install xp - sp1. You may have a separate disk with it on supplied with the pc's original installation disks, otherwise get it from the link below. You can either burn it to cd from another system, or load it onto a usb flash drive,
Windows XP Service Pack 1a Network Installation
http://www.microsoft.com/windowsxp/downloads/updates/sp1/network.mspx
Then immediately after installing sp1, go to windows update and get the rest of the patches from microsoft from the custom install option of windows update if you don't want sp2. Next get yourself a decent av software : This is pretty good and picks up trojans (spyware/malware) very well too (symantec/norton isn't doing too well at this right now). Fully functional 30 day eval copy here but make sure that you update it immediately:
PC-cillin Internet Security
http://www.trendmicro.com/download/product.asp?productid=32&show=pcprod
If you can do these you shouldn't have further problems, but post back what your situation is,

Deb :))
0
 
LVL 5

Expert Comment

by:Hypoviax
ID: 12273655
Your system may have had a trogan. Formatting would have removed this, however the reoccurance of the problem may be due to a number of reasons:

-A hacker has your IP address and exploits a vunerability in your system and plants a trogan which closes the applications (or their windows) and allows him/her to add,move,delete files (the use of the bandwidth)
-Your software that you use (Windows OS, Office, games etc) may have a virus or trogan in them causing the reoccurance of the problem when you reinstall Windows.
-Windows had a number of flaws in it that allow hackers to remotely access and compromise your machine. If it has not been updated (which it would not have had after a reinstall) then this could most definetly be a cause (this is how the blaster worms worked)

Solving the problem:

1/ Install antivirus software if you havn't already (free one at www.grisoft.com)
2/ Install a good firewall (can block the connection of a trogan or the like ) - Zone alarm: www.zonelabs.com
3/ install anti-adware/spyware software : www.safer-networking.org & www.lavasoftusa.com

Hope this both explains and solves your problem

Regards,

Hypoviax
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 5

Expert Comment

by:Hypoviax
ID: 12273665
Also get updates your system :)

The trouble is trying to get to those sites if your Internet is running slow.....

You will have to try and wait.....

Best Regards,

Hypoviax
0
 
LVL 3

Expert Comment

by:4ceReconSniper
ID: 12275133
no a virus wont survive a reformat because a virus is also a data element stored in the storage a reformat destroys every element in the storage therefore even the virus would surely destroy, that is why virus that cannot be cleaned in antivirus software offers options to delete the file which is infected because it is the "ultimate" solution in a virus
0
 

Author Comment

by:graeme57
ID: 12275573
Thanks to all replies.

Seems like most answers have their merits. The only possibility must be a compromised IP with an old copy of windows XP and the lurkers are able to automatically hack it immediately the internet connection opens.

This is the nastiest case of adware/trojan that I have encountered (and I've encountered a few). Once the computer is "registered" as vulnerable then you just cannot connect to internet or even use the system as there is no memory resource left.

My questions are:
1.What on earth are the hackers doing with all the system resource? Sending out emails? Tracking other vulnerable systems?
2. And how on earth do they justify the expense of setting such sophisticated operations up? does anyone really actually buy anything from them? or from the sites that they advertise?

Solutions: I am going to try the sp1 download (i have my own computer - the problem is with the girlfriends) in conjunction with a firewall and a different antivirus (currently using Norton - I have to say that it hasn't been very good at finding or dealing with adware - this particular compromise just turns it off - another one of the symptoms)

Then its the reformat followed by uploading all programs without internet.

I'll let you know how I get on.

Thanks for your help

Graeme (Madrid)
0
 
LVL 1

Expert Comment

by:Grinler-
ID: 12279364
Download and run cwshredder from here:

http://www.bleepingcomputer.com/files/cwshredder.php

This should be able to remove the slotch.com hijacker.
0
 
LVL 5

Expert Comment

by:Hypoviax
ID: 12281479
>>>1.What on earth are the hackers doing with all the system resource? Sending out emails? Tracking other vulnerable systems?

There is a process that hackers use that involves hacking another more 'important' system from a compromised system that may be yours for example. This means that it is harder to trace the source of the hacker. If the hacker is doing this then they could be Stealing information from the 'more important' system. This would explain the bandwidth issue.

Similarly you are right, they could be a spammer using your system in a similar way to the abover mentioned example -> it makes it harder to track the real spammer because they are using a host of compromised machines

Thirdly i don't think many people buy from these guys but they make money from the advertisements, and so if they can get people to see, or click the ads then they are making money

MAKE SURE YOU ARE USING A FIREWALL

Regards,

Hypoviax
0
 
LVL 17

Expert Comment

by:Lobo042399
ID: 12281659
Hi graeme,

Some virii hide a small portion of themselves in the Master Boot Record. If you're reformatting your HD, I would recommend that you do a complete FDISK operation. After that, on the command prompt, type FDISK \MBR. That switch will wipe the Master Boot Record in the drive.

After reinstalling your OS, my standard procedure is not to connect the machine to the Net or a network until an AV and Firewall have been installed. Only then, connect to the Net but only to run the AV Update. Disconnect from the Net and run a full system scan. Since only the OS and the AV/Firewall are installed, a full scan should take only a few minutes.

Then I would reconnect to the Net and run Windows Update.

That way, risk is minimized that any malicious software may reinfect the machine while it's still vulnerable.

Good Vibes!

Lobo
0
 
LVL 1

Expert Comment

by:Grinler-
ID: 12288128
If the virusis in the master boot record, then you can just do :

fdisk /mbr

without having to reinstall and reformat.

Redoing the master boot record with the above command should wipe the virus.
0
 
LVL 20

Expert Comment

by:Debsyl99
ID: 12288310
NO - don't run fdisk /mbr if you've just re-installed (although you shouldn't be able to just run it as is on an XP PC anyway)!
Please refer to these for future reference .
http://www.cknow.com/vtutor/vtfdiskmbr.htm
http:Q_20932058.html
Any decent virus program that's been updated should be able to deal with a boot sector virus if present, although I seriously do not believe that's what the problem is here,

Deb :))

0
 
LVL 17

Expert Comment

by:Lobo042399
ID: 12289121
Graeme,

>>Norton - I have to say that it hasn't been very good at finding or dealing with adware

AdWare is a different beast to a virus, and a beast Norton is not designed to deal with. I would not trust any AV that claims to remove adware and spyware as well. To block adware and syware you need a good Firewall in place and, if you're gonna be using IE, also a good browser protection like the Immunize feature in Spybot S&D.

The behaviour you mention of shutting down Norton is typical of a trojan infection. In order to determine what is the nasty that is doing it I would run Process Explorer, and then use a combination of RegistrarLite and KillBox to remove the malware.

Good Vibes!

Lobo
0
 
LVL 3

Expert Comment

by:happythedog
ID: 12342289
a) Yes if a virus ( such as Monkey) screws with the MBR it will survive a format
b) Bullguard is best AV
c) BlackIce is a good fw ( really should go nortel or cisco )
D) get firefox ( using ie is like inviting a virus to come in its got so many holes , goes for windows as well )
E) TDS-3 full system scan ( get the exe off of the website on your good machine burn to a CD-R and transport ) disconnect from internet till completed
____________________________________________________________________________________________________________________________________________
0
 

Accepted Solution

by:
modulo earned 0 total points
ID: 14146538
PAQed with no points refunded (of 500)

modulo
Community Support Moderator
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
Suggested Courses
Course of the Month19 days, 11 hours left to enroll

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question