Re: Can't install anti-virus software. Please help.
From: Erik Jan (anonymous_at_discussions.microsoft.com)
Date: 07/26/04
- Next message: Andrew Z Carpenter [MVP:Windows:Security]: "AVERT Low-Profiled Threat Notice: BackDoor-AZV.gen"
- Previous message: taff: "Re: Malware PE_Parite A and A-1"
- In reply to: WinGuy: "Re: Can't install anti-virus software. Please help."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 26 Jul 2004 17:22:39 +0200
WinGuy schreef:
> Hello, Bob
> Although I've never heard of it happening, it is theoretically possible for
> a virus to insert itself into the "electrically erasable programmable
> read-only memory" (EEPROM) section of the BIOS. Most BIOS can be "flashed"
> this way by version updates supplied by the BIOS manufacture. Removing the
> battery for 5 minutes will not change that flash, only another flash will.
> Removing the battery only clears the RAM section of BIOS that holds user
> configurable BIOS settings (sometimes that requires a jumper change on the
> motherboard, too). The solution, if you think you might have a flash by
> virus, is to obtain the latest BIOS flash from the manufacture and thereby
> reprogram the BIOS. But be aware that if a flash goes terribly wrong for
> some reason then the computer will not boot and the BIOS can not be flashed
> again to correct the problem and the chip must then be physically replaced,
> so a flash is always a very risky procedure.
>
> A virus flashed to BIOS would be difficult to achieve and would also have to
> target very specific BIOS types and even their versions in order to properly
> modify the code in the BIOS. This makes it very, very unlikely that this has
> occurred in your computer. But one targeted against a popular selling and
> specific computer model is a theoretical possibility, although it would
> affect only those models that use the same BIOS type and, probably, BIOS
> version.
>
> Antivirus utilities, if up to date (and some update as fast as 2 hours after
> discovering something in the wild), will detect and warn you about "in
> memory" processes that are a virus and, if that's the case, the fact that
> they can not be terminated from memory. In that case you simply power off
> the computer instead of rebooting it after the antivirus has cleaned
> everything it can from the HDD. The virus will disappear from RAM when the
> power is removed and can only return via the HDD or the network. Stay
> physically disconnected from all networks until your machine operates
> properly, use CD-R/W's or floppies made on another (clean) computer to move
> your anti-vermin software to the machine. Maybe you caught a brand new virus
> that hasn't hit on the antivirus vendor radar scopes just yet.
>
> You might have spyware/adware or a trojan or a web browser hijacker, not
> technically a virus and maybe not detected by antivirus but detectable by
> such things as Adaware-6, and Spybot. Spybot now comes with 2 resident
> utilities that forbid registry changes without you interactive permission.
> For some reason of late, every single computer that I put Spybot on gets
> checksum errors when trying to download its database updates, and I have to
> dl them separately from the website and install them that way (it can also
> be put on floppy or CD-R/W). This might have to do with DSL problems I've
> been having and SBC is working on for me, but I sort of doubt it. The
> problem does not take away from the fact that Spybot is a great utility, as
> is Adaware-6, and together they solve a lot of problems.
>
> If you use a utility (such as the old fdisk utility) to delete all
> partitions from a HDD then almost absolutely nothing exists on that HDD and
> it can not even be used at all or formatted until a new partition is
> defined. There is almost no possibility of a virus surviving if all
> partitions are cleared, but if one was suspected anyway then some HDD
> manufactures provide a "low level format" utility of their own that is an
> even deeper wipe of HDD content than a partition deletion or a format.
> Contact the HDD manufacture if you think you need a low level format utility
> from them, and have them provide clear direction on how to use it.
>
> If you have a HDD that was thoroughly wiped clean via a different computer
> than the one the HDD will be used in, then the power had to be off when you
> installed the HDD again and so nothing could be in RAM and there is no
> possibility of any kind of infection unless it exists in BIOS flash code.
> Although rare, there have been cases when a copy of an operating system CD
> was itself infected, so the infection would be reintroduced using that
> vector.
>
> On the other hand, if the XP or 2000 Event Viewer shows nothing weird in the
> way of problems but some of your programs work and others do not then you
> almost surely do indeed have an infection. The sledge hammer solution is to
> check for virus when the HDD is in a different, fully updated & infection
> protected computer.
>
> Perhaps this link might be of help, be sure to read all 3 posts as some
> procedural corrections appear there.
> http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&threadm=tarDc.3076%243W4.2126%40newssvr27.news.prodigy.com&rnum=3&prev=/groups%3Fq%3Dwinguy%2Bvirus%2
> Bspywareblaster%26ie%3DUTF-8%26hl%3Den%26btnG%3DGoogle%2BSearch
>
>
I second the suggestion to clean the HDD. It happened to me that a small
part of my drive (64 MB) had been taken off without my noticing. Even a
format c: did not solve the problem. Only fdisk and the removal of all
partitions (the clandestine one included) solved the problem. MS
suggests to use Win98 bootdisk for WinXP, since the latter does not have
the capacity to solve the problem. The computer of a friend of mine
had a NTFS-drive within an extended FAT32 drive that occupied the whole
extended partition. I could not remove this with FDISK. Thank God for
Partition Magic 8 that removed even this.
Erik.
- Next message: Andrew Z Carpenter [MVP:Windows:Security]: "AVERT Low-Profiled Threat Notice: BackDoor-AZV.gen"
- Previous message: taff: "Re: Malware PE_Parite A and A-1"
- In reply to: WinGuy: "Re: Can't install anti-virus software. Please help."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
