Virus infection on a T60 ==> how best to reinstall WindowsXP? Can Isafely still use the special Win

  • Thread starter Thread starter ship
  • Start date Start date
S

ship

Hi


My T60 (WindowsXP Pro) has been infected with several viruses.

Is it safe to re-install from the WindowsXP partition?

Or should I kill absolutely everything on the disk (eg. by running
KillDisk off a CD)?


And if I do the latter, how on earth to I register it with Microsoft
because the laptop did not come with any CDs.
(I can borrow a Windows XP Pro CD from work - but I presume that there
will be problems with the Product Key and License number etc)

Any thoughts?

With thanks



Ship
 
P.S. For clarification my computer is a T60 laptop from Lenovo. (about
3 years old)

With thanks


Ship
Shiperton Henethe
 
From: "ship" <[email protected]>

| Hi
| My T60 (WindowsXP Pro) has been infected with several viruses.
| Is it safe to re-install from the WindowsXP partition?
| Or should I kill absolutely everything on the disk (eg. by running
| KillDisk off a CD)?

| And if I do the latter, how on earth to I register it with Microsoft
| because the laptop did not come with any CDs.
| (I can borrow a Windows XP Pro CD from work - but I presume that there
| will be problems with the Product Key and License number etc)

| Any thoughts?
| With thanks
| Ship

What Cross-Post to all those groups and NOT; microsoft.public.security.virus ?

What "viruses" (assuming they were viruses and not plain old trojans) were they ?
 
ship said:
Hi


My T60 (WindowsXP Pro) has been infected with several viruses.

Is it safe to re-install from the Windows XP partition?

Or should I kill absolutely everything on the disk (eg. by running
KillDisk off a CD)?


And if I do the latter, how on earth to I register it with Microsoft
because the laptop did not come with any CDs.
(I can borrow a Windows XP Pro CD from work - but I presume that there
will be problems with the Product Key and License number etc)

Any thoughts?

With thanks



Ship
Click to expand...

Burn BitDefender, or another program listed at the link below, to a CD
(using a working machine) and test the infected machine with it.
BitDefender also has a Rootkit checker on the Linux Desktop; run it if
you think that's the problem:

http://www.techmixer.com/free-bootable-antivirus-rescue-cds-download-list/

Download the executable rather than the .iso image, if one is available,
(though no .exe is available for BitDefender).

After the scan is run, if you elect to quarantine files, they're
quarantined to RAM and lost after you reboot. You'll need to copy any
quarantined files to the hard drive, a thumb drive or elsewhere before
exiting.

Then run these:

Malwarebytes© Corporation
http://www.malwarebytes.org/mbam/program/mbam-setup.exe

SuperAntispyware
http://www.superantispyware.com/superantispywarefreevspro.html
 
HOW TO do a clean install of WinXP: See
http://michaelstevenstech.com/cleanxpinstall.html#steps and/or Method 1 in
http://support.microsoft.com/kb/978307

After the clean install, you'll have the equivalent of a "new computer" so
take care of everything on the following page before otherwise connecting
the machine to the internet or a network and before using a flash drive or
SDCard that isn't brand-new or hasn't been freshly formatted:

4 steps to help protect your new computer before you go online
http://www.microsoft.com/security/pypc.aspx

Other helpful references include:

HOW TO get a computer running WinXP Gold (no Service Packs) fully patched
(after a clean install)
http://groups.google.com/group/microsoft.public.windowsupdate/msg/3f5afa8ed33e121c

HOW TO get a computer running WinXP SP1(a) or SP2 fully patched (after a
clean install)
http://groups.google.com/group/microsoft.public.windowsxp.general/msg/a066ae41add7dd2b

Tip: After getting the computer fully-patched, download/install KB971029
manually: http://support.microsoft.com/kb/971029

NB: Any Norton or McAfee free-trial that came preinstalled on the computer
when you bought it will be reinstalled (but invalid) when Windows is
reinstalled. You MUST uninstall the free-trial and download/run the
appropriate removal tool before installing any updates, Windows Service
Packs or IE upgrades and before installing your new anti-virus application
(which will require WinXP SP3 to be installed).

Norton Removal Tool
ftp://ftp.symantec.com/public/english_us_canada/removal_tools/Norton_Removal_Tool.exe

McAfee Consumer Products Removal Tool
http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe

Also see:

Steps To Help Prevent Spyware
http://www.microsoft.com/security/spyware/prevent.aspx

Steps to Help Prevent Computer Worms
http://www.microsoft.com/security/worms/prevent.aspx

Avoid Rogue Security Software!
http://www.microsoft.com/security/antivirus/rogue.aspx
 
HOW TO do a clean install of WinXP: Seehttp://michaelstevenstech.com/cleanxpinstall.html#stepsand/or Method 1 inhttp://support.microsoft.com/kb/978307

After the clean install, you'll have the equivalent of a "new computer" so
take care of everything on the following page before otherwise connecting
the machine to the internet or a network and before using a flash drive or
SDCard that isn't brand-new or hasn't been freshly formatted:

     4 steps to help protect your new computer before you go online
     http://www.microsoft.com/security/pypc.aspx

Other helpful references include:

HOW TO get a computer running WinXP Gold (no Service Packs) fully patched
(after a clean install)http://groups.google.com/group/microsoft.public.windowsupdate/msg/3f5...

HOW TO get a computer running WinXP SP1(a) or SP2 fully patched (after a
clean install)http://groups.google.com/group/microsoft.public.windowsxp.general/msg...

Tip: After getting the computer fully-patched, download/install KB971029
manually:http://support.microsoft.com/kb/971029

NB: Any Norton or McAfee free-trial that came preinstalled on the computer
when you bought it will be reinstalled (but invalid) when Windows is
reinstalled. You MUST uninstall the free-trial and download/run the
appropriate removal tool before installing any updates, Windows Service
Packs or IE upgrades and before installing your new anti-virus application
(which will require WinXP SP3 to be installed).

     Norton Removal Tool
     ftp://ftp.symantec.com/public/english_us_canada/removal_tools/Norton_...

     McAfee Consumer Products Removal Tool
     http://download.mcafee.com/products/licensed/cust_support_patches/MCP...

Also see:

Steps To Help Prevent Spywarehttp://www.microsoft.com/security/spyware/prevent.aspx

Steps to Help Prevent Computer Wormshttp://www.microsoft.com/security/worms/prevent.aspx

Avoid Rogue Security Software!http://www.microsoft.com/security/antivirus/rogue.aspx
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Client - since 2002www.banthecheck.com











- Show quoted text -
Click to expand...

All helpful suggestions, but nobody seems to have answered my central
questions:
A). Do I need to delete the special WindowXP installation partition?
i.e. is it theoretically possible for a virus to get into it? And

B). How am I supposed to reinstall WindowsXP correctly without it?

With thanks


Ship
Shiperton Henethe
 
Hi

My T60 (WindowsXP Pro)  has been infected with several viruses.

Is it safe to re-install from the WindowsXP partition?

Or should I kill absolutely everything on the disk (eg. by running
KillDisk off a CD)?

And if I do the latter, how on earth to I register it with Microsoft
because the laptop did not come with any CDs.
(I can borrow a Windows XP Pro CD from work - but I presume that there
will be problems with the Product Key and License number etc)

Any thoughts?

With thanks

Ship
Click to expand...

If you think it is best to start from scorched earth, I would delete
everything - even the special Windows installation partition. You do
not know the status/health of it with 100% certainty. Even if you
could use it, if something goes wrong later, you will always wonder if
it was really part of the problem or not. Eliminate the possibility
of that question ever coming up - whack it.

You can certainly make a copy of a genuine bootable XP installation CD
to keep with your computer. Don't borrow it, make a copy for you. It
is not unethical to make a copy of a Windows CD. It is unethical to
apply the same license key to different computers. Be sure it is of
the same version you have now (Home, Pro, etc). If you don't need it
now, you will be glad you have it some other day.

Before you reinstall, you should determine the currently installed
licensing information on your current system (if it runs) and use that
when reinstalling. It may be on a sticker on your PC that is
unreadable, lost or missing. You need to figure out what Windows
thinks, not what some sticker says.

The information is already on your system of course, you just need to
find it and write it down for later.

You can use one of several free tools, or use them all and see which
one you like best:

Magic Jelly Bean:
http://magicaljellybean.com/keyfinder/

SIW:
http://www.gtopala.com/

Belarc:
http://belarc.com/free_download.html

It would be more fun to just fix your current unspecified problem and
not reinstall, but you can/should certainly find out the licensing
information and get a copy of a genuine bootable XP installation CD of
your own and keep it in a safe place for the future - or the present...
 
If you think it is best to start from scorched earth, I would delete
everything - even the special Windows installation partition. You do
not know the status/health of it with 100% certainty. Even if you
could use it, if something goes wrong later, you will always wonder if
it was really part of the problem or not. Eliminate the possibility
of that question ever coming up - whack it.

You can certainly make a copy of a genuine bootable XP installation CD
to keep with your computer. Don't borrow it, make a copy for you. It
is not unethical to make a copy of a Windows CD. It is unethical to
apply the same license key to different computers. Be sure it is of
the same version you have now (Home, Pro, etc). If you don't need it
now, you will be glad you have it some other day.

Before you reinstall, you should determine the currently installed
licensing information on your current system (if it runs) and use that
when reinstalling. It may be on a sticker on your PC that is
unreadable, lost or missing. You need to figure out what Windows
thinks, not what some sticker says.

The information is already on your system of course, you just need to
find it and write it down for later.

You can use one of several free tools, or use them all and see which
one you like best:

Magic Jelly Bean:
http://magicaljellybean.com/keyfinder/

SIW:
http://www.gtopala.com/

Belarc:
http://belarc.com/free_download.html

It would be more fun to just fix your current unspecified problem and
not reinstall, but you can/should certainly find out the licensing
information and get a copy of a genuine bootable XP installation CD of
your own and keep it in a safe place for the future - or the
present...
Click to expand...

A fresh Format/Installation would certainly eliminate a lot of
potential problems that might exist on your system. Before nuking the
drive, do insure that you have the "key" for reinstalling Windows.
Next, visit this site:

http://tech.icrontic.com/articles/windows_driver_collection

It has some information that might prove useful to you. You might be
interested in: DriverMax <http://www.innovative-sol.com/drivermax/>
also. It could save you a lot of time. Prior to running it, do insure
that you have the latest drivers installed.

Finally, download a copy of FreeDOS <http://www.freedos.org/>. Create a
bootable CD, and use it to start your system. Read the documentation
first. If used correctly, it will remove all existing data and
partition info from your drive. You can then use the same disk to
reformat the drive prior to installing Windows. No entirely necessary;
however, it does help to erase all existing data on the drive.

Ciao

--
Carmel |::::=======
|::::=======
|===========
|===========
|
 
ship said:
Hi


My T60 (WindowsXP Pro) has been infected with several viruses.

Is it safe to re-install from the WindowsXP partition?
Click to expand...

I have *never* seen or read about an instance where malware actually
alters the hidden recovery partition. I would say the answer is yes, it
is safe.
Or should I kill absolutely everything on the disk (eg. by running
KillDisk off a CD)?
Click to expand...

No, the recovery partition is something you always want to keep (IMO).
An exception *might* be made if you have a full-fledged XP installation
CD and it _must_ match the license you have, too. Even so, if it were
me, I would still keep that hidden recovery partition intact.
And if I do the latter, how on earth to I register it with Microsoft
because the laptop did not come with any CDs.
(I can borrow a Windows XP Pro CD from work - but I presume that there
will be problems with the Product Key and License number etc)
Click to expand...

Registration is optional. I assume you are referring to activation. The
CD you borrow (and I would recommend making a copy of it for your use)
*must* match in all respects. So the Windows XP Pro CD *must* be a
generic OEM version in order for the Product Key on your Certificate of
Authenticity (COA) sticker for activation to work. Then again, if you
simply use the hidden recovery partition, the process is much simpler
and faster. :-)
Any thoughts?
Click to expand...

Make sure you copy all your data. Be sure to include e-mails, your
address book, Internet Explorer favorites, etc. Then follow the
instructions Lenovo provided for the recovery. You'll be fine. (Then, of
course, reinstall your programs and copy the data back.)

That being said, depending on the malware, there might be a better
solution: remove the malware. :-) If the amount of damage is minimal,
that's what I would try first. Feel free to post back with specifics,
and many here will be happy to guide you.
 
All helpful suggestions, but nobody seems to have answered my central
questions:
A). Do I need to delete the special WindowXP installation partition?
i.e. is it theoretically possible for a virus to get into it? And

B). How am I supposed to reinstall WindowsXP correctly without it?

With thanks


Ship
Shiperton Henethe
Click to expand...

Theoretically? Yes, anything is possible as it is just another
partition on your disk regardless of "hiding" or otherwise. Same holds
true for the Restore Point saves/partition or even encrypted devices,
e.g., anything writable.

Has it been? Ahhhh.....

As for what you can do now: not much [qualified, see below ORs] except
use it as you apparently "failed" to do what you were *supposed* to do
when you obtained the new computer; burn your one legal copy [most
computers come pre-configured to bug you at least once when first
started to burn a backup copy], or the ability to backup/image the
entire disk at some point which can be done at anytime by anyone [e.g.,
not by the original purchaser].

OR,

You might be able to contact the manufacturer and plead your issue
attempting to obtain an OEM installation disk and/or manufacturer setup
disk(s) [like the old days of retail purchased systems].

OR,

Using a Live/bootable CD/DVD, either Linux or one of the PE style
troubleshooting, you can attempt to scan and potentially clean the
installation partition from there.

--
MEB
http://peoplescounsel.org/ref/windows-main.htm
Windows Info, Diagnostics, Security, Networking
http://peoplescounsel.org
The "real world" of Law, Justice, and Government
___---
 
ship said:
All helpful suggestions, but nobody seems to have answered my central
questions:
A). Do I need to delete the special WindowXP installation partition?
i.e. is it theoretically possible for a virus to get into it?
Click to expand...

Assuming you're referring to the hidden Recovery partition: No & it's a
very, very remote possibility
 
Well I spoke to Lenovo and they want to sting me for GBP 40.00 for an
installation disk.
I refuse point blank to do this partly as a matter of principle and
partly because it will
proably take a while for the CD to arrive by post.

I have dug out the number from Control Panel > System > General Tab
which looks like this

99999-OEM-9999999-99999

(except with actual numbers instead of "9"s)

I also spoke to Microsoft who were extremely insistant that using a
different CD would
definitely fail to work (I suspect that they are probably fibbing).

Apparently I will to give them an "Installation ID" (9 groups of 6
digits), and they will then need to give me
a "Confirmation ID"

I've not followed any of the links above yet - will they be able to
generate a "Product Key" or
"Confirmation ID" ?

I am slightly hazy about what all these "IDs" and "Keys" are and where
and when they are
required by WindowsXP. The spare CD I have comes from my old PC. It
is definitely a
genuine Windows XP Professional CD, and I have the product key for
*it* (but I presume
that it wont work...) Wait a minute - *yes* on the back of the Lenovo
Laptop is indeed
a "product key", and with 5 groups of 5 characters. Looks promising :)

Is there anything else that I need to do ?

i.e. do I still need the likes of
http://magicaljellybean.com/keyfinder/
or do I now have the information that I need?

* * *

But as some of you imply, MAYBE there is not need to format the
Windows installation parition.
But just how hard can it be for a virus to write to a hidden
partition? NOT hard I would imagine.
If I was writing a virus that is exactly the sort of thing I would get
it to do to ensure that it
survived a re-formatting of the C: drive... but what do I know?

Ship (OP)
 
From: "ship" <[email protected]>

< snip >

| But as some of you imply, MAYBE there is not need to format the
| Windows installation parition.
| But just how hard can it be for a virus to write to a hidden
| partition? NOT hard I would imagine.
| If I was writing a virus that is exactly the sort of thing I would get
| it to do to ensure that it
| survived a re-formatting of the C: drive... but what do I know?

| Ship (OP)

There 'ya go again saying "virus" and you still haven't provided that information.

So I now repeat...
What "viruses" (assuming they were viruses and not plain old trojans) were they ?
 
From: "ship" <[email protected]>

< snip >

| But as some of you imply, MAYBE there is not need to format the
| Windows installation parition.
| But just how hard can it be for a virus to write to a hidden
| partition? NOT hard I would imagine.
| If I was writing a virus that is exactly the sort of thing I would get
| it to do to ensure that it
| survived a re-formatting of the C: drive... but what do I know?

| Ship (OP)

There 'ya go again saying "virus" and you still haven't provided that information.

So I now repeat...
What "viruses" (assuming they were viruses and not plain old trojans) were they ?
Click to expand...

Well here is a selection of what was reported - but the came so thick
and fast I didnt
take note of them all:



AVAST:
Win32:Tibs-AFH [Trj] C:\documents and settings\XXXX\local settings
\temp\X1Server\U.S. Secretary of State Condoleezza Rice has kicked
German Chancellor Angela Merkel.msg
Win32:Tibs-AFX [Trj] C:\documents and settings\XXXX\local settings
\temp\X1Server\The Kiss.msg
Win32:Tibs-AFX [Trj] C:\documents and settings\XXXX\local settings
\temp\X1Server\The Kiss.msg
Win32:Tibs-AGA [Wrm] C:\documents and settings\XXXX\local settings
\temp\X1Server\Forever in Love.msg
Win32:Tibs-AIE [Trj] C:\documents and settings\XXXX\local settings
\temp\X1Server\I Would Give you Anything.msg
Win32:Tibs-AFH [Trj]

MSE:
Nuwar.N@mm!CME-711 C:\DOCUME~1\ALECST~1\LOCALS~1\Temp\_avast4_
\unp28372.tmp

Trojan: Win32/Vxidl.gen!B File:C:\DOCUME~1\ALECST~1\LOCALS~1\Temp
\_avast4_\unp69768409.tmp
Trojan: Win32/Vxidl.gen!dam File:C:\DOCUME~1\ALECST~1\LOCALS~1\Temp
\_avast4_\unp142407802.tmp

Win32:Small-JBK [Trj] C:\documents and settings\XXXX\local settings
\temp\X1Server\Sadam Hussein safe and sound!.msg
Win32:Tibs-AFA [Trj] C:\documents and settings\XXXX\local settings
\temp\X1Server\Happy World Religion Day!.msg
Win32:Tibs-AFP [Trj] C:\documents and settings\XXXX\local settings
\temp\X1Server\I Love Thee.msg

Win32:Tibs-AFX [Trj] C:\documents and settings\XXXX\local settings
\temp\X1Server\The Kiss.msg
Win32:Tibs-AFX [Trj] C:\documents and settings\XXXX\local settings
\temp\X1Server\Unmatchable Beauty.msg
Win32:Tibs-AGA [Wrm] C:\documents and settings\XXXX\local settings
\temp\X1Server\Forever in Love.msg

MSE:
Backdoor:Win32/Ryknos.BC (Alert level: *Severe")

AVAST:
Win32:Small-JBK [Trj] C:\documents and settings\XXXX\local settings
\temp\X1Server\Sadam Hussein safe and sound!.msg
Win32:Tibs-AFA [Trj] C:\documents and settings\XXXX\local settings
\temp\X1Server\Happy World Religion Day!.msg
Win32:Tibs-AFP [Trj] C:\documents and settings\XXXX\local settings
\temp\X1Server\I Love Thee.msg

MSE:
Backdoor:Win32/Ryknos.BC (Alert level: *Severe") file:C:\Documents and
Settings\XXXX\Local Settings\Temp\ARC70F.tmp
Worm:Win32/Mtob.NP@mm (Alert level: *Severe") file:C:\Documents and
Settings\XXXX\Local Settings\Temp\ARC1405.tmp Description: This
program is dangerous and self-propagates over a network connection.
Backdoor:Win32/Ryknos.BC [AGAIN] (Alert level: *Severe") file:C:
\Documents and Settings\XXXX\Local Settings\Temp\ARC1B59.tmp
Worm:Win32/Mtob.NP@mm file:C:\Documents and Settings\XXXX\Local
Settings\Temp\ARC285D.tmp

Does that help?


Ship
 
Sheesh!

After wiping and reinstalling from known clean media, I would even give
the *room* it is in a good scrubbing with bleach. :o)

Use the EISA partition to restore to factory specifications, then get
all the updates installed. Scan any backup data and programs for malware
before returning them to the freshly rejuvenated system.
 
From: "ship" <[email protected]>

| Well here is a selection of what was reported - but the came so thick
| and fast I didnt take note of them all:



| AVAST:
Win32::Tibs-AFH [Trj] C:\documents and settings\XXXX\local settings
| \temp\X1Server\U.S. Secretary of State Condoleezza Rice has kicked
| German Chancellor Angela Merkel.msg
Win32::Tibs-AFX [Trj] C:\documents and settings\XXXX\local settings
| \temp\X1Server\The Kiss.msg
Win32::Tibs-AFX [Trj] C:\documents and settings\XXXX\local settings
| \temp\X1Server\The Kiss.msg
Win32::Tibs-AGA [Wrm] C:\documents and settings\XXXX\local settings
| \temp\X1Server\Forever in Love.msg
Win32::Tibs-AIE [Trj] C:\documents and settings\XXXX\local settings
| \temp\X1Server\I Would Give you Anything.msg
Win32::Tibs-AFH [Trj]


| Nuwar.N@mm!CME-711 C:\DOCUME~1\ALECST~1\LOCALS~1\Temp\_avast4_
| \unp28372.tmp

| Trojan: Win32/Vxidl.gen!B File:C:\DOCUME~1\ALECST~1\LOCALS~1\Temp
| \_avast4_\unp69768409.tmp
| Trojan: Win32/Vxidl.gen!dam File:C:\DOCUME~1\ALECST~1\LOCALS~1\Temp
| \_avast4_\unp142407802.tmp

Win32::Small-JBK [Trj] C:\documents and settings\XXXX\local settings
| \temp\X1Server\Sadam Hussein safe and sound!.msg
Win32::Tibs-AFA [Trj] C:\documents and settings\XXXX\local settings
| \temp\X1Server\Happy World Religion Day!.msg
Win32::Tibs-AFP [Trj] C:\documents and settings\XXXX\local settings
| \temp\X1Server\I Love Thee.msg

Win32::Tibs-AFX [Trj] C:\documents and settings\XXXX\local settings
| \temp\X1Server\The Kiss.msg
Win32::Tibs-AFX [Trj] C:\documents and settings\XXXX\local settings
| \temp\X1Server\Unmatchable Beauty.msg
Win32::Tibs-AGA [Wrm] C:\documents and settings\XXXX\local settings
| \temp\X1Server\Forever in Love.msg


| Backdoor:Win32/Ryknos.BC (Alert level: *Severe")

| AVAST:
Win32::Small-JBK [Trj] C:\documents and settings\XXXX\local settings
| \temp\X1Server\Sadam Hussein safe and sound!.msg
Win32::Tibs-AFA [Trj] C:\documents and settings\XXXX\local settings
| \temp\X1Server\Happy World Religion Day!.msg
Win32::Tibs-AFP [Trj] C:\documents and settings\XXXX\local settings
| \temp\X1Server\I Love Thee.msg


| Backdoor:Win32/Ryknos.BC (Alert level: *Severe") file:C:\Documents and
| Settings\XXXX\Local Settings\Temp\ARC70F.tmp
| Worm:Win32/Mtob.NP@mm (Alert level: *Severe") file:C:\Documents and
| Settings\XXXX\Local Settings\Temp\ARC1405.tmp Description: This
| program is dangerous and self-propagates over a network connection.
| Backdoor:Win32/Ryknos.BC [AGAIN] (Alert level: *Severe") file:C:
| \Documents and Settings\XXXX\Local Settings\Temp\ARC1B59.tmp
| Worm:Win32/Mtob.NP@mm file:C:\Documents and Settings\XXXX\Local
| Settings\Temp\ARC285D.tmp

| Does that help?


| Ship


No file infecting viruses nor MBR/Disk Sector Infectors were noted. A simple reformat of
the HD and re-install of the OS is all that's needed IFF that's how you want to proceed.

Interestingly, NONE in the log excerpts your provided were shown to have malware actually
in the OS. All were in the TEMP folder.

Also interesting was "Trojan: Win32/Vxidl.gen" and "Nuwar mass mailer" found in...
%TEMP%\_avast4_\*.tmp files.

Where did you get your copy of Avast ?

What are teh .MSG file as in "Sadam Hussein safe and sound!.msg" ?
Are they email related ?
 
The location of all of those is in a temp directory, you don't need to
format. I did not catch the whole thread but who said to format? probably
PaBear. From what you posted it looks like both Avast and MSE are doing
their jobs. Those locations you gave in the logs are the first point where
the infectors enter your computer from the internet. Use ccleaner to clean
your temp files http://www.ccleaner.com/ then do a complete scan with both
Avast and MSE update both before you scan.


--
The Real Truth http://pcbutts1-therealtruth.blogspot.com/
*WARNING* Do NOT follow any advice given by the people listed below.
They do NOT have the expertise or knowledge to fix your issue. Do not waste
your time.
David H Lipman, Malke, PA Bear, Beauregard T. Shagnasty, Leythos.




From: "ship" <[email protected]>

< snip >

| But as some of you imply, MAYBE there is not need to format the
| Windows installation parition.
| But just how hard can it be for a virus to write to a hidden
| partition? NOT hard I would imagine.
| If I was writing a virus that is exactly the sort of thing I would get
| it to do to ensure that it
| survived a re-formatting of the C: drive... but what do I know?

| Ship (OP)

There 'ya go again saying "virus" and you still haven't provided that
information.

So I now repeat...
What "viruses" (assuming they were viruses and not plain old trojans) were
they ?
Click to expand...

Well here is a selection of what was reported - but the came so thick
and fast I didnt
take note of them all:



AVAST:
Win32:Tibs-AFH [Trj] C:\documents and settings\XXXX\local settings
\temp\X1Server\U.S. Secretary of State Condoleezza Rice has kicked
German Chancellor Angela Merkel.msg
Win32:Tibs-AFX [Trj] C:\documents and settings\XXXX\local settings
\temp\X1Server\The Kiss.msg
Win32:Tibs-AFX [Trj] C:\documents and settings\XXXX\local settings
\temp\X1Server\The Kiss.msg
Win32:Tibs-AGA [Wrm] C:\documents and settings\XXXX\local settings
\temp\X1Server\Forever in Love.msg
Win32:Tibs-AIE [Trj] C:\documents and settings\XXXX\local settings
\temp\X1Server\I Would Give you Anything.msg
Win32:Tibs-AFH [Trj]

MSE:
Nuwar.N@mm!CME-711 C:\DOCUME~1\ALECST~1\LOCALS~1\Temp\_avast4_
\unp28372.tmp

Trojan: Win32/Vxidl.gen!B File:C:\DOCUME~1\ALECST~1\LOCALS~1\Temp
\_avast4_\unp69768409.tmp
Trojan: Win32/Vxidl.gen!dam File:C:\DOCUME~1\ALECST~1\LOCALS~1\Temp
\_avast4_\unp142407802.tmp

Win32:Small-JBK [Trj] C:\documents and settings\XXXX\local settings
\temp\X1Server\Sadam Hussein safe and sound!.msg
Win32:Tibs-AFA [Trj] C:\documents and settings\XXXX\local settings
\temp\X1Server\Happy World Religion Day!.msg
Win32:Tibs-AFP [Trj] C:\documents and settings\XXXX\local settings
\temp\X1Server\I Love Thee.msg

Win32:Tibs-AFX [Trj] C:\documents and settings\XXXX\local settings
\temp\X1Server\The Kiss.msg
Win32:Tibs-AFX [Trj] C:\documents and settings\XXXX\local settings
\temp\X1Server\Unmatchable Beauty.msg
Win32:Tibs-AGA [Wrm] C:\documents and settings\XXXX\local settings
\temp\X1Server\Forever in Love.msg

MSE:
Backdoor:Win32/Ryknos.BC (Alert level: *Severe")

AVAST:
Win32:Small-JBK [Trj] C:\documents and settings\XXXX\local settings
\temp\X1Server\Sadam Hussein safe and sound!.msg
Win32:Tibs-AFA [Trj] C:\documents and settings\XXXX\local settings
\temp\X1Server\Happy World Religion Day!.msg
Win32:Tibs-AFP [Trj] C:\documents and settings\XXXX\local settings
\temp\X1Server\I Love Thee.msg

MSE:
Backdoor:Win32/Ryknos.BC (Alert level: *Severe") file:C:\Documents and
Settings\XXXX\Local Settings\Temp\ARC70F.tmp
Worm:Win32/Mtob.NP@mm (Alert level: *Severe") file:C:\Documents and
Settings\XXXX\Local Settings\Temp\ARC1405.tmp Description: This
program is dangerous and self-propagates over a network connection.
Backdoor:Win32/Ryknos.BC [AGAIN] (Alert level: *Severe") file:C:
\Documents and Settings\XXXX\Local Settings\Temp\ARC1B59.tmp
Worm:Win32/Mtob.NP@mm file:C:\Documents and Settings\XXXX\Local
Settings\Temp\ARC285D.tmp

Does that help?


Ship
 
ship said:
Well I spoke to Lenovo and they want to sting me for GBP 40.00 for an
installation disk.
I refuse point blank to do this partly as a matter of principle and
partly because it will
proably take a while for the CD to arrive by post.

I have dug out the number from Control Panel > System > General Tab
which looks like this

99999-OEM-9999999-99999

(except with actual numbers instead of "9"s)

I also spoke to Microsoft who were extremely insistent that using a
different CD would
definitely fail to work (I suspect that they are probably fibbing).

Apparently I will to give them an "Installation ID" (9 groups of 6
digits), and they will then need to give me
a "Confirmation ID"

I've not followed any of the links above yet - will they be able to
generate a "Product Key" or
"Confirmation ID" ?

I am slightly hazy about what all these "IDs" and "Keys" are and where
and when they are
required by Windows XP. The spare CD I have comes from my old PC. It
is definitely a
genuine Windows XP Professional CD, and I have the product key for
*it* (but I presume
that it wont work...) Wait a minute - *yes* on the back of the Lenovo
Laptop is indeed
a "product key", and with 5 groups of 5 characters. Looks promising :)

Is there anything else that I need to do ?

i.e. do I still need the likes of
http://magicaljellybean.com/keyfinder/
or do I now have the information that I need?

* * *

But as some of you imply, MAYBE there is not need to format the
Windows installation partition.
But just how hard can it be for a virus to write to a hidden
partition? NOT hard I would imagine.
If I was writing a virus that is exactly the sort of thing I would get
it to do to ensure that it
survived a re-formatting of the C: drive... but what do I know?

Ship (OP)
Click to expand...

Look at it like this.. if malware is written to the installation
partition, what would it matter unless there were a rootkit, or Windows
malware to address it. It could only be activated if you installed from
that partition. Then if you were to find malware on the new
installation, you could suspect something on the installation partition.

So just deal with your current infections.. heck, the CD's I suggested
probably check that partition anyway.
 
Elmo said:
Look at it like this.. if malware is written to the installation
partition, what would it matter unless there were a rootkit, or
Windows malware to address it. It could only be activated if you
installed from that partition.
Click to expand...

I'm pretty sure that that was Ship's point. A few people, including
yours truly, suggested he simply use the hidden restore partition. I
highly doubt that the malware writers targeted *his* particular PC
model. I am sure the partition is just fine! Also, he made another post
and I'm pretty sure there was no evidence his OS even had an infection;
that is, his AV program found suspect files in the the temp directory
and unopened e-mail attachments. I'm not convinced he has a problem at
all. :-)
 
What's the "real truth" about pcbutts1? Read on...

.. Is he an MS MVP? No!
cf. http://mvp.support.microsoft.com/communities/mvp.aspx

.. If xxx.ms-mvp.org redirects to xxx.pcbutts1.com, why didn't he post that
link to begin with?

.. Is he a proven thief? Yes!
cf.
http://groups.google.com/group/microsoft.public.security.virus/browse_frm/thread/58e6c02dbc6279ad
cf.
http://msmvps.com/blogs/hostsnews/a..._.-the-saga-continues-_2E00__2E00__2E00_.aspx
cf.
http://groups.google.com/group/microsoft.public.security.homeusers/msg/213247814fb4d61e
cf.
http://groups.google.com/group/microsoft.public.security.homeusers/msg/e19fce884897662f

.. What do real experts have to say about him? It ain't pretty.

http://www.siteadvisor.com/sites/pcbutts1.com (Reviews)

http://www.digg.com/security/PCButts1_Under_Attack

http://www.siteadvisor.com/sites/pcbutts1.com

http://bughunter.it-mate.co.uk/PCBUTTS.TXT

http://www.mywot.com/en/scorecard/pcbutts1.com

http://www.mywot.com/en/scorecard/www.ms-mvp.org

.. Does he have all his marbles?
cf. http://en.wikinews.org/wiki/NASA_van_rolls_off_California_mountain

Ignore this MVP imposter! No one in their right mind (and Paddy isn't)
would tell you it's OK to have 2 anti-virus apps installed & loading at
boot.
 
Back
Top