Newbie qestion: Unknown virus

  • Thread starter Thread starter Versy Tyle
  • Start date Start date
V

Versy Tyle

There is some undetectable virus in my data (or an installed program?), and
has been for months if not years. A bit of processing strain and the
computer crashes and, on the re-boot, says that a particular System 32 file
is missing, and that the system needs to be repaired. On my main computer
the file system is at this point too messed up to perform a recovery.

I have tried every virus scan I know, online and offline; it turns up
nothing. Perhaps, because I hve a lot of jpg (and other pictorial) files,
it's the virus that attaches itself to jpg's - where do I go to find
microsoft's blocker of this? Is it in the SP2?

Does anyone else nw of this problem? Is there anything else I can try?

Am on Win xp.

Thanks,
Versy
 
Versy Tyle said:
There is some undetectable virus in my data (or an installed
program?), and
has been for months if not years. A bit of processing strain and the
computer crashes and, on the re-boot, says that a particular System 32
file
is missing, and that the system needs to be repaired. On my main
computer
the file system is at this point too messed up to perform a recovery.

I have tried every virus scan I know, online and offline; it turns up
nothing. Perhaps, because I hve a lot of jpg (and other pictorial)
files,
it's the virus that attaches itself to jpg's - where do I go to find
microsoft's blocker of this? Is it in the SP2?

Does anyone else nw of this problem? Is there anything else I can try?

Am on Win xp.

Thanks,
Versy
Click to expand...


A "bit of processing strain" causes the system to crash, and that is the
only time it crashes? Then how do you know it isn't a hardware problem,
like a heatsink that fell off the processor (AMDs will burn up but
Intels will just slow down or stop), or someone forgot to use heatsink
thermal paste (or the less effective thermal tape) between the processor
and heatsink, or the heatsink or video card fans are no longer spinning,
or your power supply is way too weak to provide the amperage needed by
everything in your computer that it powers, or the BIOS has the wrong
specs for the memory (perhaps you overclock or are not letting the BIOS
use SPD - serial presence detect - feature of the memory to report its
specs), or ...
 
The reason I know is that as soon as I transferred the data onto my other
system, an HP, which is not online and had no more than Word and Nero
installed and had caused me no problems, the same thing happened; and
similar symptoms occurred also absolutely as soon as I installed Photoshop
onto the HDD with all that data on it. But on the HP a repair was perfectly
feasible.
The strange thing is that, as soon as I take my data off the HDD on my
main computer, then even if it is being put on to a HDD connected to the
same system, the problem seems not to occur - or if it is still 'latent', it
is less acute; this is after a 'Keep File System Intact' reinstall of xp,
which, before (but not after) I had taken the data off, didn't let me open
at least some of my Photoshop documents.
Both HDDs are relatively new - one of them, just a few months.
Thanks,
Versy
 
Versy Tyle said:
The reason I know is that as soon as I transferred the data onto my
other
system, an HP, which is not online and had no more than Word and Nero
installed and had caused me no problems, the same thing happened; and
similar symptoms occurred also absolutely as soon as I installed
Photoshop
onto the HDD with all that data on it. But on the HP a repair was
perfectly
feasible.
The strange thing is that, as soon as I take my data off the HDD on
my
main computer, then even if it is being put on to a HDD connected to
the
same system, the problem seems not to occur - or if it is still
'latent', it
is less acute; this is after a 'Keep File System Intact' reinstall of
xp,
which, before (but not after) I had taken the data off, didn't let me
open
at least some of my Photoshop documents.
Both HDDs are relatively new - one of them, just a few months.
Thanks,
Versy
Click to expand...


If anti-virus software doesn't detect the infection (and there are
several online scanners for free so you can use several different brands
to check to ensure the best coverage) then maybe an intrusion prevention
system (IDS) might help. An IDS will tell you when something is running
that shouldn't be or is trying to access critical resources. Abtrusion
is one, System Saftey Monitor is another, and Prevx Home is another IDS
product. Prevx Home is free. It might help alert you to what is
running that you don't expect or when something tries to access the
registry, a system file, or other critical resource. But be prepared to
answer lots of prompts and understand what it is reporting to you.
 
Thanks, Vanguard. Have done dozens of online scans.
I take it an IDS is not specifically an online thing, like a firewall, and
that it would yield something comprehensible to the likes of my
computer-illiterate self? Given the history I have reported, I don't know
how another application, whatever readings it comes up with, will really
help....
Think it's a virus?
Cheers,
Versy
 
Versy Tyle said:
Thanks, Vanguard. Have done dozens of online scans.
I take it an IDS is not specifically an online thing, like a
firewall, and
that it would yield something comprehensible to the likes of my
computer-illiterate self? Given the history I have reported, I don't
know
how another application, whatever readings it comes up with, will
really
help....
Think it's a virus?
Click to expand...

Hard to say. You mentioned repairing your system (which presumably
meant doing an in-place upgrade of Windows XP to step atop the instance
already on the hard drive; see ) but then said that the file system was
too screwed up to perform a recovery. Well, if the file system is so
screwed up that files cannot be copied onto hard drive then why would
you expect anything to behave on that partition? You mentioned
"transferring" the hard drive "data" to another system and the problem
followed. I don't know by "tranferring" if you meant that you saved a
drive image and then restored it on the other test system. I also don't
know if by "data" you meant you moved over data files (which are not
executable but only read by some application although their content
could affect the behavior of applications) or the move included all
files, including executables.

At this point, and since it sounds like you have multiple hard drives,
it sounds like you should move the drive so it is the second drive or
move its contents via an image or even a file copy to the second drive,
and then do a fresh install of Windows XP on the primary drive. Be sure
to do the following before doing the fresh install: (1) Create a
bootable floppy in another good host which includes the FDISK utility;
(2) Boot using the floppy and run "FDISK /MBR" to overwrite the
bootstrap area of the MBR (master boot record) on the first physical
drive found by the BIOS (and which gets used to load the bootstrap
program and read the partition tables in that MBR); and, (3) Reboot
using the Windows XP installation CD and lay down a fresh copy of the OS
(this will also overwrite the boot sector of that partition). Then
you'll have a clean install of Window XP on the first drive and nothing
on the second drive gets executed but you can start migrating your
data-only files back to the first drive (or cleaning off their non-data
only files from it). If your applications expect that data to be on C:
then you can move it singly from D: to C:. Otherwise, if the
applications expect the data to be on D: then I'd repartition the second
drive to have 2 partitions (logical drives in an extended partition) to
end up with a blank formatted D: and E: where are the files and then
move them singly from E: to D:. Obviously you are then in control of
what data files you are moving over.

The procedure I noted should eliminate getting reinfected with a root
kit, something that can usurp the MBR bootstrap program and embed itself
into the OS so it can hide itself from any application running under
that infected OS, like an anti-virus scanner. The reboots are needed to
ensure something nasty doesn't stick around in memory. However, it
might not be a virus at all but just a corrupted OS that is misbehaving.
Just be careful what you install thereafter as applications to prevent
getting the trojan, virus, or whatever malware. If your data files
contain macros then configure your applications to block them or prompt
you regarding letting them execute. When reinstalling the applications,
be sure to use read-only media. If they come on CD then they are
read-only. If they came on 3-1/2" floppy, be sure the tab is missing or
moved so the hole is exposed (and that they were always this way to
prevent getting written onto and infected). Because programs exist to
flash your BIOS (to update it to a new version), I suppose it is
possible that someone wrote some nasty program that would modify the
routines stored in the EEPROM for the BIOS that would continually screw
up your system. A fresh install of Windows from read-only media would
expose that problem if the defect exhibited itself again but for the
freshly installed OS.

It can take so much time and experimentation to get rid of an
undetectable nasty that it is more economical to start with a fresh
install of the OS and fresh install of the applications (and all from
read-only media). You said this problem has been around for months or
years so you've probably wasted more than the 2 to 4 evenings to do a
fresh install of OS and apps and migrate over the data-only files. In
one case, it sounds like you did just that and the problem went away so
that may be your best and easiest solution. Just remember to install
what you really need to have and not every piece of software you have
ever accumulated on your system. It is likely that the malware, if
present, is part of some fluffware. You might then consider getting
Drive Image, TrueImage, or another drive imaging program to save
periodic snapshots of your system to which you can restore. Do NOT rely
on the Windows XP System Restore. It's okay but not trustworthy.
 
Vanguard said:
Hard to say. You mentioned repairing your system (which presumably
meant doing an in-place upgrade
Click to expand...

Not sure what you mean here. I just used my CD-Bootable Win xp to reinstall
without reformatting.


of Windows XP to step atop the instance
already on the hard drive; see ) but then said that the file system was
too screwed up to perform a recovery. Well, if the file system is so
screwed up that files cannot be copied onto hard drive then why would
you expect anything to behave on that partition?
Click to expand...

I didn't; but then neither do I expect them to keep misbehaving after a
reformat (recently, with installation of ethernet card, it has taken longer
for them to start misbehaving, but ultimately they do, and indeed show a
pattern - as described - to their misbehaviour). Alright, this time I didn't
do a reformat, but I am left curious as to why their behaviour should be so
dependent upon how much else is on the HDD.


You mentioned
"transferring" the hard drive "data" to another system and the problem
followed. I don't know by "tranferring" if you meant that you saved a
drive image
Click to expand...

drive image? what's that?

and then restored it on the other test system. I also don't
know if by "data" you meant you moved over data files (which are not
executable
Click to expand...

do you mean .exe files?

but only read by some application although their content
could affect the behavior of applications) or the move included all
files, including executables.
Click to expand...

Some .exe files and a lot of data. Did not install the programs to which the
..exe's were attributable.
At this point, and since it sounds like you have multiple hard drives,
it sounds like you should move the drive so it is the second drive or
move its contents via an image or even a file copy to the second drive,
and then do a fresh install of Windows XP on the primary drive. Be sure
to do the following before doing the fresh install: (1) Create a
bootable floppy in another good host which includes the FDISK utility;
Click to expand...

I have no idea what this means, I'm afraid. I have never booted from floppy
and could never get Win xp to fit onto a floppy. Don't know what an FDISK is
and don't know why booting from floppy should be at all significant, given
that I usually boot from CD in these circumstances.

(2) Boot using the floppy and run "FDISK /MBR" to overwrite the
bootstrap area of the MBR (master boot record) on the first physical
drive found by the BIOS (and which gets used to load the bootstrap
program and read the partition tables in that MBR); and,
Click to expand...

Again, this is all foreign teritoty to me.

(3) Reboot
using the Windows XP installation CD and lay down a fresh copy of the OS
(this will also overwrite the boot sector of that partition).
Reformat?

Then
you'll have a clean install of Window XP on the first drive and nothing
on the second drive gets executed but you can start migrating your
data-only files back to the first drive (or cleaning off their non-data
only files from it). If your applications expect that data to be on C:
then you can move it singly from D: to C:. Otherwise, if the
applications expect the data to be on D: then I'd repartition the second
drive to have 2 partitions (logical drives in an extended partition) to
end up with a blank formatted D: and E: where are the files and then
move them singly from E: to D:. Obviously you are then in control of
what data files you are moving over.
Click to expand...

Have only 2 HDD's. I can't see what the C, D E distinction is all about!
The procedure I noted should eliminate getting reinfected with a root
kit, something that can usurp the MBR bootstrap program and embed itself
into the OS so it can hide itself from any application running under
that infected OS, like an anti-virus scanner.
Click to expand...


Agian, you've lost me!


The reboots are needed to
ensure something nasty doesn't stick around in memory. However, it
might not be a virus at all but just a corrupted OS that is misbehaving.
Click to expand...


Have persistently reinstalled it. My buddy with the same CD gets perfectly
good results with it. Personally, I've had endless problems with Win 2000
and a different Win xp before that.

Just be careful what you install thereafter as applications to prevent
getting the trojan, virus, or whatever malware. If your data files
contain macros then configure your applications to block them or prompt
you regarding letting them execute.
Click to expand...

Wouldn't know how!

When reinstalling the applications,
be sure to use read-only media. If they come on CD then they are
read-only.
Click to expand...

How about if they are just moved from D: back to C: ?


If they came on 3-1/2" floppy, be sure the tab is missing or
moved so the hole is exposed (and that they were always this way to
prevent getting written onto and infected). Because programs exist to
flash your BIOS (to update it to a new version), I suppose it is
possible that someone wrote some nasty program that would modify the
routines stored in the EEPROM for the BIOS that would continually screw
up your system. A fresh install of Windows from read-only media would
expose that problem if the defect exhibited itself again but for the
freshly installed OS.
Click to expand...

I wouldn't be able to detect the exposition, I don't think!
It can take so much time and experimentation to get rid of an
undetectable nasty that it is more economical to start with a fresh
install of the OS and fresh install of the applications (and all from
read-only media). You said this problem has been around for months or
years so you've probably wasted more than the 2 to 4 evenings to do a
fresh install of OS and apps and migrate over the data-only files. In
one case, it sounds like you did just that and the problem went away so
that may be your best and easiest solution. Just remember to install
what you really need to have and not every piece of software you have
ever accumulated on your system. It is likely that the malware, if
present, is part of some fluffware.
Click to expand...

Eh?

You might then consider getting
Drive Image, TrueImage, or another drive imaging program to save
periodic snapshots of your system to which you can restore. Do NOT rely
on the Windows XP System Restore. It's okay but not trustworthy.
Click to expand...


Well, thankyou for your contribution, even though I don't understand much of
it!

Regards,

Versy
 
Back
Top