Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Reformat and reinstall after virus - Any advice?


  • Please log in to reply
26 replies to this topic

#1 lather

lather

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:52 PM

Posted 13 October 2010 - 04:34 AM

Having been advised that I've picked up a "file infector" infection on one of my laptops, I've been told that the only practical and safe way to get rid of it is via a reformat of the drive and a clean install of Windows. I thought I'd got an OEM restore partition on the drive, but it looks like I haven't, so I'm in the process of sourcing a new copy of XP Pro on disk so I can install from that.

I've done a Windows reinstall on both 95 and 98se in the distant past, but never on XP. So I was just wondering if anyone has any tips or advice about what I need to do and what I can expect.

If there's anyone who can walk me through the process, it would be a great help to me!

(I won't be doing it for a few days, as I've only just paid for the XP disk and have got to wait for it to be delivered...)


I've also been told that I can rescue important (non-system) data files and pictures by burning them to CD - Do the experts here agree with that? And is there anything I need to be aware of while doing it?

BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:03:52 PM

Posted 13 October 2010 - 05:40 AM

To reload a XP laptop, I first make sure my generic disk will match up with the COA sticker on the bottom of the case.
That way I am just reinstalling the already liscensed version of the OS and not wasting a new liscense.

If possible I go into device manager and note the individual hardware description for lan, wireless,etc.
Some brands of laptops use several different combinations for the same model.

After downloading the drivers from the manufacturer's website I change the boot order in bios and insert the CD.

First I delete all partitions and then repartition and install.

http://michaelstevenstech.com/cleanxpinstall.html
Chewy

No. Try not. Do... or do not. There is no try.

#3 hamluis

hamluis

    Moderator


  • Moderator
  • 55,232 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:02:52 PM

Posted 13 October 2010 - 07:42 AM

My question is...who advised you of this information?

Before I did a clean install, I'd make sure that it was a necessary step.

Louis

#4 lather

lather
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:52 PM

Posted 14 October 2010 - 03:18 AM

Thanks for the replies!

@hamluis: The advice came from peku006 over at Safer-Networking Forums, and they're the one who directed me here. If you want to check out the thread where I asked for help there, complete with all the logs and reports, here's the link: http://forums.spybot.info/showthread.php?t=59715

In the past, the folks there helped me out with a Virtumonde infection on another machine, so I know that they tend to know what they're talking about. If you have a different view, then I'd be happy to hear it!



@DaChew: Thanks for the link, although I think your reply has left me with more questions than answers!

First of all, how do you know if your disk matches up with your COA sticker?

Also, in the page you link to, it appears to say that you halt Windows installation part-way through to install the device drivers. But other guides I've read say to do that after you've completed the Windows install. Am I reading things right there?

And, for the deleting partitions and re-partitioning, what utility do you use for that? Do you boot from the Windows disk and do it from there, or do you use something else?



Other general questions I've got about what I'm doing:

1) As this seems like a good time to do a hard drive upgrade, does this cause any issues? I'm using a Thinkpad T41, and was wondering if replacing the infected hard drive with a new larger one could cause problems with the drive being recognised etc.

2) If I do upgrade the hard drive and decide to partition it into two logical drives, one for the OS and programs and one for all my data, would any future virus infection just affect the OS partition and be prevented from spreading to the data one? Or would it jump from one to the other and corrupt the data there too?

#5 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,264 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:12:52 PM

Posted 14 October 2010 - 03:29 AM

1) The new hdd will need to be formatted before XP will recognize it, other than that there shouldn't be any problems. Just make sure your CD-ROM is the first device in the boot order in the BIOS before you start to boot from the installation CD.

2) Most infections are aimed to the operating system, so if the partition with the operating system gets infected the second one should be fine.

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#6 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:03:52 PM

Posted 14 October 2010 - 08:14 AM

I've only just paid for the XP disk and have got to wait for it to be delivered...)


Please expand on this? Ebay?
Chewy

No. Try not. Do... or do not. There is no try.

#7 hamluis

hamluis

    Moderator


  • Moderator
  • 55,232 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:02:52 PM

Posted 14 October 2010 - 01:28 PM

Thanks for posting the link to your malware thread :thumbsup:.

Virut seems to be the more widely (by me, anyway) known file infector virus...I don't know much about malware :flowers: and I now have a better understanding of what led you here.

Louis

#8 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:03:52 PM

Posted 14 October 2010 - 02:41 PM

I was curious


File name / Threat / Threats count
C:\Documents and Settings\user\Application Data\Ihre\tagis.exe Infected: Virus.Win32.Nimnul.a 1
C:\Documents and Settings\user\Desktop\TFC.exe Infected: Virus.Win32.Nimnul.a 1
C:\Documents and Settings\user\Local Settings\temp\jkos-user\binaries\msvcr80.dll Infected: Virus.Win32.Nimnul.a 1
C:\Documents and Settings\user\Local Settings\temp\jkos-user\binaries\prLoader.dll Infected: Virus.Win32.Nimnul.a 1
C:\Documents and Settings\user\Local Settings\temp\jkos-user\binaries\prremote.dll Infected: Virus.Win32.Nimnul.a 1
C:\Documents and Settings\user\Local Settings\temp\jkos-user\binaries\ScanningProcess.exe Infected: Virus.Win32.Nimnul.a 1
C:\Documents and Settings\user\Local Settings\temp\rtdrvmon.exe Infected: Virus.Win32.Nimnul.a 1
C:\DRIVERS\WIN\DISPLAY\AtiCimUn.exe Infected: Virus.Win32.Nimnul.a 1
C:\DRIVERS\WIN\DISPLAY\BIN\aticds10.dll Infected: Virus.Win32.Nimnul.a 1
C:\DRIVERS\WIN\DISPLAY\BIN\AtiCIM.dll Infected: Virus.Win32.Nimnul.a 1
C:\DRIVERS\WIN\DISPLAY\BIN\atiicdxx.dll Infected: Virus.Win32.Nimnul.a 1
C:\DRIVERS\WIN\DISPLAY\CheckVer.exe Infected: Virus.Win32.Nimnul.a 1
C:\DRIVERS\WIN\DISPLAY\CPanel\CPANEL.dll Infected: Virus.Win32.Nimnul.a 1
C:\DRIVERS\WIN\DISPLAY\Driver\2KXP_INF\B_43075\atiiiexx.dll Infected: Virus.Win32.Nimnul.a 1
C:\DRIVERS\WIN\DISPLAY\Driver\Driver.DLL Infected: Virus.Win32.Nimnul.a 1
C:\DRIVERS\WIN\DISPLAY\FGLMax\FGLMax.dll Infected: Virus.Win32.Nimnul.a 1
C:\DRIVERS\WIN\DISPLAY\Phildec\Phildec.DLL Infected: Virus.Win32.Nimnul.a 1
C:\DRIVERS\WLLANCSC\ACAT.exe Infected: Virus.Win32.Nimnul.a 1
C:\DRIVERS\WLLANCSC\ACM\ACUMonRap.exe Infected: Virus.Win32.Nimnul.a 1
C:\DRIVERS\WLLANCSC\ACM\configapidlla.dll Infected: Virus.Win32.Nimnul.a 1
C:\DRIVERS\WLLANCSC\ACrd10SM.dll Infected: Virus.Win32.Nimnul.a 1
C:\DRIVERS\WLLANCSC\AppInst.exe Infected: Virus.Win32.Nimnul.a 1
C:\DRIVERS\WLLANCSC\CAppLder.exe Infected: Virus.Win32.Nimnul.a 1
C:\DRIVERS\WLLANCSC\configapidlla.dll Infected: Virus.Win32.Nimnul.a 1
C:\DRIVERS\WLLANCSC\DrvInst.exe Infected: Virus.Win32.Nimnul.a 1
C:\DRIVERS\WLLANCSC\IWSetup.exe Infected: Virus.Win32.Nimnul.a 1
C:\DRIVERS\WLLANCSC\LEAP\Setup.exe Infected: Virus.Win32.Nimnul.a 1
C:\DRIVERS\WLLANCSC\NT4DrvInst.exe Infected: Virus.Win32.Nimnul.a 1
C:\DRIVERS\WLLANCSC\PCC-MPI\9x-Me-2K\CInsX500.dll Infected: Virus.Win32.Nimnul.a 1
C:\DRIVERS\WLLANCSC\PCC-MPI\9x-Me-2K\CUtil16.exe Infected: Virus.Win32.Nimnul.a 1
C:\DRIVERS\WLLANCSC\PCC-MPI\NT4.0\NDIS4\pcx500.dll Infected: Virus.Win32.Nimnul.a 1
C:\DRIVERS\WLLANCSC\PCC-MPI\XP\CInsX500.dll Infected: Virus.Win32.Nimnul.a 1
C:\DRIVERS\WLLANCSC\PCC-MPI\XP\CUtil16.exe Infected: Virus.Win32.Nimnul.a 1
C:\DRIVERS\WLLANCSC\PCI-PCM\9X-Me-2K\CInsX500.dll Infected: Virus.Win32.Nimnul.a 1
C:\DRIVERS\WLLANCSC\PCI-PCM\9X-Me-2K\CUtil16.exe Infected: Virus.Win32.Nimnul.a 1
C:\DRIVERS\WLLANCSC\PCI-PCM\NT4.0\NDIS4\pcx500.dll Infected: Virus.Win32.Nimnul.a 1
C:\DRIVERS\WLLANCSC\PCI-PCM\XP\CInsX500.dll Infected: Virus.Win32.Nimnul.a 1
C:\DRIVERS\WLLANCSC\PCI-PCM\XP\CUtil16.exe Infected: Virus.Win32.Nimnul.a 1
C:\DRIVERS\WLLANCSC\PostUnInstall.exe Infected: Virus.Win32.Nimnul.a 1
C:\DRIVERS\WLLANCSC\SetDbgLevel.exe Infected: Virus.Win32.Nimnul.a 1
C:\Program Files\802.11 Wireless LAN\802.11g Wireless Adapter HW.15 V.1.00\EnumDevLib.dll Infected: Virus.Win32.Nimnul.a 1
C:\Program Files\802.11 Wireless LAN\802.11g Wireless Adapter HW.15 V.1.00\InstallDriver.exe Infected: Virus.Win32.Nimnul.a 1
C:\Program Files\802.11 Wireless LAN\802.11g Wireless Adapter HW.15 V.1.00\IpLib.dll Infected: Virus.Win32.Nimnul.a 1
C:\Program Files\802.11 Wireless LAN\802.11g Wireless Adapter HW.15 V.1.00\Remove.exe Infected: Virus.Win32.Nimnul.a 1
C:\Program Files\802.11 Wireless LAN\802.11g Wireless Adapter HW.15 V.1.00\RTxAdmin.exe Infected: Virus.Win32.Nimnul.a 1
C:\Program Files\ABBYY FineReader 5.0 Sprint\Da.dll Infected: Virus.Win32.Nimnul.a 1
C:\Program Files\ABBYY FineReader 5.0 Sprint\Engine.dll Infected: Virus.Win32.Nimnul.a 1
C:\Program Files\ABBYY FineReader 5.0 Sprint\Engine0.dll Infected: Virus.Win32.Nimnul.a 1
C:\Program Files\ABBYY FineReader 5.0 Sprint\MorphoEngine4.dll Infected: Virus.Win32.Nimnul.a 1
C:\Program Files\ABBYY FineReader 5.0 Sprint\MorphoRes0.dll Infected: Virus.Win32.Nimnul.a 1
C:\Program Files\ABBYY FineReader 5.0 Sprint\RecPage.dll Infected: Virus.Win32.Nimnul.a 1
C:\Program Files\ABBYY FineReader 5.0 Sprint\Scan\ScanMan0.dll Infected: Virus.Win32.Nimnul.a 1
C:\Program Files\ABBYY FineReader 5.0 Sprint\Scan\ScanMan5.exe Infected: Virus.Win32.Nimnul.a 1
C:\Program Files\ABBYY FineReader 5.0 Sprint\Sprint.exe Infected: Virus.Win32.Nimnul.a 1
C:\Program Files\ABBYY FineReader 5.0 Sprint\StartUp0.dll Infected: Virus.Win32.Nimnul.a 1
C:\Program Files\ABBYY FineReader 5.0 Sprint\Support\AInfo.exe Infected: Virus.Win32.Nimnul.a 1
C:\Program Files\ABBYY FineReader 5.0 Sprint\Support\Ainfo0.dll Infected: Virus.Win32.Nimnul.a 1
C:\Program Files\Adobe\Reader 8.0\Esl\AiodLite.dll Infected: Virus.Win32.Nimnul.a 1
C:\Program Files\Adobe\Reader 8.0\Reader\ACE.dll Infected: Virus.Win32.Nimnul.a 1
C:\Program Files\Adobe\Reader 8.0\Reader\Acrofx32.dll Infected: Virus.Win32.Nimnul.a 1
C:\Program Files\Adobe\Reader 8.0\Reader\AdobeXMP.dll Infected: Virus.Win32.Nimnul.a 1
C:\Program Files\Adobe\Reader 8.0\Reader\AGM.dll Infected: Virus.Win32.Nimnul.a 1
C:\Program Files\Adobe\Reader 8.0\Reader\rt3d.dll Infected: Virus.Win32.Nimnul.a 1


http://www.threatexpert.com/report.aspx?md...f34e32dced27894

W32.Ramnit!inf [Symantec]
Virus.Win32.Nimnul.a [Kaspersky Lab]
W32/Ramnit.a [McAfee]


Chewy

No. Try not. Do... or do not. There is no try.

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:52 PM

Posted 14 October 2010 - 02:57 PM

Win32/Ramnit.A is a file infector with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files. The infected .HTML or .HTM files may be detected as The infected .HTML or .HTM files may be detected as Virus:VBS/Ramnit.A or VBS/Generic. Win32/Ramnit.A!dll is a related file infector often seen with this infection. It too has IRCBot functionality which infects .exe, .dll and .HTML/HTM files and opens a back door that compromises your computer. This component is injected into the default web browser by Worm:Win32/Ramnit.A which is dropped by a Ramnit infected executable file.

-- Note: As with most malware infections, the threat name may be different depending on the anti-virus or anti-malware program which detected it. Each security vendor uses their own naming conventions to identify various types of malware.With this particular infection the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

Why? The malware injects code in legitimate files similar to the Virut virus and in many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files often become corrupted and the system may become unstable or irreparable. The longer Ramnit.A remains on a computer, the more files it infects and corrupts so the degree of damage can vary.

Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump) infection where it copies Worm:Win32/Ramnit.A with a random file name. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and a major source of system infection.

In my opinion, Ramnit.A is not effectively disinfectable, so your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. Security vendors that claim to be able to remove file infectors cannot guarantee that all traces of it will be removed as they may not find all the remnants. If something goes awry during the malware removal process there is always a risk the computer may become unstable or unbootable and you could loose access to all your data.

Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.

Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
• Reimaging the system
• Restoring the entire system using a full system backup from before the backdoor infection
• Reformatting and reinstalling the system

Backdoors and What They Mean to You

This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 lather

lather
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:52 PM

Posted 15 October 2010 - 01:59 AM

Thanks for all the replies - I now understand a bit more about the infection than I did before.

I think it's worth me pointing out that it seems like I picked it up from a compromised flash-based advert on a forum, as it was only after that had loaded that my AV software lit up with the first warnings. So I guess that helps to emphasise just how important ad-blocking programs can be and why you need them. While I have one for Firefox, the forum where I picked up the infection works better in IE, and I don't have an ad blocker for that as I've not been able to find one - Can anyone recommend a good (and preferably free) one I can install when I rebuild the system?

Thanks for the replies concerning the HDD questions - I thought that's how it was, so I'll see about sourcing a new and much larger drive, and do the reinstall on that rather than on the current infected drive.

And yes, the new XP disk is from eBay, but it's a new and sealed pack from a seller I've had dealings with before and know I can trust 100%, so there shouldn't be any issues there...

#11 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:03:52 PM

Posted 15 October 2010 - 05:36 AM

I have been researching sources for xp install disks, ebay is one of the last ones left.
Chewy

No. Try not. Do... or do not. There is no try.

#12 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:03:52 PM

Posted 16 October 2010 - 09:31 AM

The question you asked in a PM about using your numbers and using the disk you got from ebay to install xp will best be answered by you when you try the load of XP on that new hard drive.

The oem disk you got should work but a generic disk would be better. Some oem disks will not even install on different computers, if your numbers don't work then enter the ones that came with the disk.

There are resources on MS help pages about changing the number after the install so you can validate, it's very complicated and since I have only read about it, I am way over my head.

http://reviews.ebay.com/Windows-XP-Home-OE...000000001530290
Chewy

No. Try not. Do... or do not. There is no try.

#13 hamluis

hamluis

    Moderator


  • Moderator
  • 55,232 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:02:52 PM

Posted 16 October 2010 - 10:01 AM

FWIW: Just a momentary search, using Google, produces the following (among others): http://www.nextag.com/windows-CD-XP/shop-h...EBC3C7D9F7C24D3.

Louis

#14 lather

lather
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:07:52 PM

Posted 16 October 2010 - 10:35 AM

Thanks for the replies - I guess I'll find out if I'm OK next week sometime when I try and do the re-install...

(As for the different OEM disks not always working with some machines, there's lots of sellers listing these Dell disks as "will work on any machine". And the disk specifically says that it contains Windows only and no drivers, so I'm hopeful that it will be OK.)


Anyone got any experience with Norton Ghost? When I set up my new hard drive, I'm thinking of partitioning it into at least two drives, one for programs and one for data. But I'm also thinking about using Ghost to make an image of the programs partition so I can restore from that if needed in the future. I know I'd be better using a physically seperate drive, but as I'm using a laptop that only has one hard drive slot (unless I can get the bay adapter for a second drive in place of the optical drive), I only have the capacity for one drive in the machine at one time - And, from what I've read, you need the optical drive to run Ghost for a disk restore, which could be a problem if you only have space for one hard drive plus the option of either the optical drive or a second hard drive! So can you run Ghost without an optical drive so I can back-up onto a different drive, or am I stuck with just using the main internal drive and putting the image there?

#15 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:03:52 PM

Posted 16 October 2010 - 10:48 AM

Have you got all your drivers straightened out? Your thinkpad? doesn't hold 2 hard drives does it?
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users