OK Gail this machine got infected by a lot misdeeds.
First stop, get an external CD/DVD and boot to the Windows CD.
Wipe out all partitions, and if he needs to go to a Linux root disk
(These are a couple of sites where he can get theses with a bunch of
basic DOS tools on them- someone help me here I can see it but cant
remember the name of it.)
He needs to physically wipe out the partitions each and every one of
them. What he is installing is installing onto a extended disk
partition that does not get seen on boot up and gets taken over by a
master boot partition.
This is an insidious type of infection and many at this point pull
the drive and get a new one and put it in.
I would have to ask what he is getting into to get this type of
infection. (I know parent mode) He needs to practice safe computering.
Stewart
At 11:12 AM 12/23/2009, you wrote:
Hi ... Well I had to get my son to come over here and type out what
actually happens with this "virus" because he didn't want to send it
to me in an email. So, here's what he told me.
Hope you can make out what it is that's going on --- and better yet
-- what he might do to fix it.
Worst case -- do you think Dell will take it back so we can start
over or is it likely beyond that point now?
Strange Virus Explained:
What this Virus does
It apparently sets itself up in both windows\system32 and also in
windows\sonfig
Irt uses worpad (I suspect because wordpad can be saved as .XML, and
the "controlers" use Windows Shell and RPC, remote procedure call,
as well as API, wich I'm not sure what that is, but along with a lot
of other things, it changes the registry, sets up user accounts,
with high level authority, it creates virtual UPC buses, virtual
wireless adapters, virtual network adapters, virtual monitors, even
virtual processors....and takes control of your computer, making
even the administrator have about as much authority on his own
computer as a low level user would have, makes tons of network
connections using Media Player, and lots of other things, and
downloads tons more things onto your computer, and uploads tons of
things to places unknown too.
It sees when you're trying to disable it for intstance using mmc, an
advanced feature in Windows Fire Wall, which has snap ins to create
rules for incoming and outgoing connections, and it changes whatever
rules you make without changing what the settings are on the
console, and then makes the controls disappear, or not "clickable"
meaning it has removed your level of access even when you sign on as
an administrator (which being the sole user and owner of this
computer I'm already an administrator, but due to the way Windows 7
makes you less than an admnistrator unitl you need to use the
privilege, is the way it works)
It uses BCD alot, I don't know if that's a program it downloaded or
if that's Microsoft's software, but it stands I think for boot
control device, and it alters the boot manager so that evereytime it
boots, it gets loaded first, and also apparently alters the system
BIOS to make it so that unless onboard BIOS legacy is enabled, it
can't find the operating system and it won't boot..which also means
that even now that the new Windows installation and a supposedly
"clean" disk I probably STILL have it. I wiped the entire hard drive
using a DOS program called "Kill Disk"..which makes one pass, and
creates zeros on every byte on the partition you select, I did that
to every partition
It had first partition 100Mb, with no label or volume, then one
149Gb, with a W something 4 character string, then a dash - then 4
more characters (all numeric if I remember correctly. Then it had
another partition, not labeled, it was something like
200,000 sectors big, but had no data....I'm thinking this is a
virtual partition, and it was super hard to get rid of using DOS,
DiskPart....in fact due to my inexperience using that utility, I
didn't remove it until I let Windows delete a partition upon set up.
I think I'm wrong about some of the things but that's the best of my
recollection right now. I had used a DOS util. called Isasld.....and
got a list of users and permissions assigned for everyone on the
computer. But, I wasn't able to print it because the driver for the
printer which I downloaded was "intercepted" by the virus and
changed into something else, so when the window popped up to change
my permissions to administrator, thinking I was downloading and
installing a driver from DELL.....it was something from HELL instead!
Thanks so much everyone!!
Gail Miller
----- Original Message ----- From: "mike" <[email protected]>
To: <[email protected]>
Sent: Tuesday, December 22, 2009 6:09 PM
Subject: Re: [CGUYS] STRANGE VIRUS? AGAIN
Not sure if Gail got run off or got busy.
But, there are still a few who had questions that may have been lost in the
maze of the thread that started this..so
What exactly is the computer doing that you think it has a virus? I've seen
bad hardware behave strangely, this may be the issue this time also.
*************************************************************************
** List info, subscription management, list rules, archives, privacy **
** policy, calmness, a member map, and more at http://www.cguys.org/ **
*************************************************************************
*************************************************************************
** List info, subscription management, list rules, archives, privacy **
** policy, calmness, a member map, and more at http://www.cguys.org/ **
*************************************************************************
*************************************************************************
** List info, subscription management, list rules, archives, privacy **
** policy, calmness, a member map, and more at http://www.cguys.org/ **
*************************************************************************
