Posted 26 December 2009 - 01:43 PM
I have attempted this installation six times now. See below for hardware and network specs.
Overview: My original XP system became infected with some kind of drive-by malware while visiting a website, and it was overdue for an XP reload anyway. Avira had popped up a warning for TR_crypt.xpack.gen for a half second then the popup disappeared. Subsequent scans using Avira, Malwarebytes and online Housecall (Trend Micro) found nothing, but the system had become unusable within a couple of days. So, I clean installed XP after a Robocopy of the entire original drive to an external drive.
The installation details:
I disconnected all drives from my system except the original system drive, an 80GB internal Seagate. The NIC was unplugged. I first booted Acronis Disk Director (Linux boot CD) and wiped the drive with all zeros. I used my non-OEM XP CD slipstreamed with SP3 (also tried the original XP CD, purchased in 2002), let the install create the partition and did a full NTFS format. The first time, an hour or so after my initial logon to the system, I unplugged the NIC cable and installed Sysinternals' TCPView and Process Explorer because there was a great deal of drive activity. When I plugged back in, TCPView showed dozens of connections using TCP from Svchost that would [grab a port, connect, drive activity, disconnect] on 3 or 4 instances of Svchost at a time at a rate of 1 or 2 connections per second. The display was flashing connections on and off while the drive went nuts. Looked violent. (Have you ever watched Nmap portscan a LAN aggressively? It looked something like that.) I immediately pulled the NIC cable and the connections timed out and drive activity slowed to normal.
Upon investigation I found that many of the normal Windows system files seemed to have been replaced with previous versions (from NT4, Win9X) and had apparantly been carefully rewritten. They are called "Legacy" drivers and are all Root level drivers per System Information. I know this sounds paranoid - and it might be just that - but I have worked with virus/malware issues since 1988 (mostly diskette-born MAC viruses back then) and this looks very sophisticated to me; has me completely baffled. But I'm not a programmer or Windows expert so I'm not sure what really is normal and what isn't half the time. Clearly there were real people connected to my system through legacy terminal services and probably a website. (At one point someone poisoned my internal routes using repeated ARP calls instructing devices to respond to 127.0.0.1). Each attempted install responded the same way; steadily became more corrupt within a day or two (or hours) until I was utterly owned. As an Admin I wasn't allowed access to the Program Files folder even though I alone had ownership - that sort of thing.
I have a Wordpad file with screen captures of two windows (sysinfo Signed Drivers listing and sysinfo Running Tasks listing). It's pretty big - 7MB - because of the graphics and I don't know how to convert the captures to smaller jpg files. Let me know if you would like to see them and I'll figure it out. They list the legacy drivers and specify "Unknown" for nearly every parameter.
My system is a home-built desktop used primarily for multitrack recording using the Reaper software. It is directly wired (no wireless card) to a Netgear Router which is connected to a DSL modem. There are three other devices connecting to the router wirelessly - two laptops and a ROTU box for Netflix to my TV. The Router is set up with a strong password and a very strong WPA-2 code. There are no ports forwarded or triggered, and its firewall is turned on. One of the laptops has the same problem and the other seems clean. (The one with the problem just came home from college and was already infested. My problem started before this one was plugged into the network, though).
I did find BIOS code from an old Award BIOS (v1.0 Copyright 2000) near the end of the drive with my disk editor. Moreover, the boot sector had been relocated up to sector 64 and the first 64 sectors were hidden. So when I wiped all that I thought I'd foiled it. I looked at it again before letting the first pass reboot into the disk version of Windows and that BIOS info was back. Maybe that's how it works - but I doubt it. That's all I can think of and this is too long as it is.
Hoping for any suggestions. My system is up for now (6th install) but it's running on replaced system files and I'm keeping it off the net except for quick sessions to download security software, which I believe is compromised during installation anyway. Thanks in advance for any help. Let me know what I forgot.
Gigabyte GA-MA770-UD3 w/ onboard Realtek GB NIC
AMD Phenom X3 720
4MB GSKILL DDR-2
PS: Mushkin XP-650AP
E-MU 1212m Audio (Creative), onboard audio disabled