Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware before XP is finished installing (standalone)


  • Please log in to reply
5 replies to this topic

#1 zedhed

zedhed

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:19 PM

Posted 26 December 2009 - 01:43 PM

I have attempted this installation six times now. See below for hardware and network specs.

Overview: My original XP system became infected with some kind of drive-by malware while visiting a website, and it was overdue for an XP reload anyway. Avira had popped up a warning for TR_crypt.xpack.gen for a half second then the popup disappeared. Subsequent scans using Avira, Malwarebytes and online Housecall (Trend Micro) found nothing, but the system had become unusable within a couple of days. So, I clean installed XP after a Robocopy of the entire original drive to an external drive.

The installation details:
I disconnected all drives from my system except the original system drive, an 80GB internal Seagate. The NIC was unplugged. I first booted Acronis Disk Director (Linux boot CD) and wiped the drive with all zeros. I used my non-OEM XP CD slipstreamed with SP3 (also tried the original XP CD, purchased in 2002), let the install create the partition and did a full NTFS format. The first time, an hour or so after my initial logon to the system, I unplugged the NIC cable and installed Sysinternals' TCPView and Process Explorer because there was a great deal of drive activity. When I plugged back in, TCPView showed dozens of connections using TCP from Svchost that would [grab a port, connect, drive activity, disconnect] on 3 or 4 instances of Svchost at a time at a rate of 1 or 2 connections per second. The display was flashing connections on and off while the drive went nuts. Looked violent. (Have you ever watched Nmap portscan a LAN aggressively? It looked something like that.) I immediately pulled the NIC cable and the connections timed out and drive activity slowed to normal.

Upon investigation I found that many of the normal Windows system files seemed to have been replaced with previous versions (from NT4, Win9X) and had apparantly been carefully rewritten. They are called "Legacy" drivers and are all Root level drivers per System Information. I know this sounds paranoid - and it might be just that - but I have worked with virus/malware issues since 1988 (mostly diskette-born MAC viruses back then) and this looks very sophisticated to me; has me completely baffled. But I'm not a programmer or Windows expert so I'm not sure what really is normal and what isn't half the time. Clearly there were real people connected to my system through legacy terminal services and probably a website. (At one point someone poisoned my internal routes using repeated ARP calls instructing devices to respond to 127.0.0.1). Each attempted install responded the same way; steadily became more corrupt within a day or two (or hours) until I was utterly owned. As an Admin I wasn't allowed access to the Program Files folder even though I alone had ownership - that sort of thing.

I have a Wordpad file with screen captures of two windows (sysinfo Signed Drivers listing and sysinfo Running Tasks listing). It's pretty big - 7MB - because of the graphics and I don't know how to convert the captures to smaller jpg files. Let me know if you would like to see them and I'll figure it out. They list the legacy drivers and specify "Unknown" for nearly every parameter.

My system is a home-built desktop used primarily for multitrack recording using the Reaper software. It is directly wired (no wireless card) to a Netgear Router which is connected to a DSL modem. There are three other devices connecting to the router wirelessly - two laptops and a ROTU box for Netflix to my TV. The Router is set up with a strong password and a very strong WPA-2 code. There are no ports forwarded or triggered, and its firewall is turned on. One of the laptops has the same problem and the other seems clean. (The one with the problem just came home from college and was already infested. My problem started before this one was plugged into the network, though).

I did find BIOS code from an old Award BIOS (v1.0 Copyright 2000) near the end of the drive with my disk editor. Moreover, the boot sector had been relocated up to sector 64 and the first 64 sectors were hidden. So when I wiped all that I thought I'd foiled it. I looked at it again before letting the first pass reboot into the disk version of Windows and that BIOS info was back. Maybe that's how it works - but I doubt it. That's all I can think of and this is too long as it is.

Hoping for any suggestions. My system is up for now (6th install) but it's running on replaced system files and I'm keeping it off the net except for quick sessions to download security software, which I believe is compromised during installation anyway. Thanks in advance for any help. Let me know what I forgot.

Desktop Specs:
Gigabyte GA-MA770-UD3 w/ onboard Realtek GB NIC
AMD Phenom X3 720
4MB GSKILL DDR-2
PS: Mushkin XP-650AP
E-MU 1212m Audio (Creative), onboard audio disabled

zed

BC AdBot (Login to Remove)

 


#2 OldPhil

OldPhil

    Doppleganger


  • Members
  • 4,164 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Long Island New York
  • Local time:08:19 PM

Posted 26 December 2009 - 02:20 PM

If you chose to format the drive during installation it should have been clean.

Honesty & Integrity Above All!


#3 zedhed

zedhed
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:07:19 PM

Posted 26 December 2009 - 05:32 PM

If you chose to format the drive during installation it should have been clean.


Yeah, it should have been. But after two weeks of wracking my brain as to where this "thing", whatever it is, could be coming from, I need someone who's seen it before or can at least walk me through some ideas. I suspect BIOS issues but I don't think anyone has really been able to write malware that could threaten a hard drive from a BIOS yet, have they? This thing is already in operation before XP is fully installed!

Does anyone know exactly what the "new" WMI providers HiPerfCooker and RSOP actually do? Everything seems to begin there when I look in the Application Event log. All I can find is MS assuring us that "this is just the high performance management system" or something equally generic.

No one else has seen this problem before?

zed

#4 Guest_Abacus 7_*

Guest_Abacus 7_*

  • Guests
  • OFFLINE
  •  

Posted 26 December 2009 - 07:22 PM

:flowers:

You could try draining the CMOS?

Only place not wiped? And it is connected to BIOS.

I always drain the CMOS on reinstall.

Just remember to reset the Time and Date in the BIOS afterwards as it resets to Default when it was first built.

:thumbsup:

Edited by Abacus 7, 26 December 2009 - 07:28 PM.


#5 zedhed

zedhed
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  

Posted 27 December 2009 - 02:03 AM

Is draining the CMOS a step beyond simply clearing CMOS?

I cleared it but didn't need to reset the time. So, pull the battery for a while and short the pins with the battery out?

Thanks, Abacus.

Zed

:thumbsup:

#6 Guest_Abacus 7_*

Guest_Abacus 7_*

  • Guests
  • OFFLINE
  •  

Posted 27 December 2009 - 03:54 AM

:flowers:

Before removing the Battery, make sure the Machine is unplugged and Ground your self first, then remove the Power Leads from the MotherBoard, then remove the Battery for about 5 Minutes. Afterwards rehook up the Power leads to the MotherBoard, then install Battery.

Best of Luck, Mate.

:thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users