Re: Virus in DOS Upper Memory? Win PE ?
From: Galen (galennews_at_gmail.com)
Date: 08/23/05
- Next message: Malke: "Re: Removing "PCtuneup" spyware?"
- Previous message: Atlanta Jason: "Virus in DOS Upper Memory? Win PE ?"
- In reply to: Atlanta Jason: "Virus in DOS Upper Memory? Win PE ?"
- Next in thread: David H. Lipman: "Re: Virus in DOS Upper Memory? Win PE ?"
- Reply: David H. Lipman: "Re: Virus in DOS Upper Memory? Win PE ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 23 Aug 2005 06:42:59 -0400
In news:49FDFCE7-DEDE-4631-AC44-3347EEB9E0C6@microsoft.com,
Atlanta Jason <AtlantaJason@discussions.microsoft.com> had this to say:
My reply is at the bottom of your sent message:
> I suspect that my computers are infected with some sort of trojan or
> worm that is hijacking the setup/install process. It appears to be
> emulating the CDROM and is somewhere in upper memory. After
> examining the logs and some of the setup files from the install, it
> appears that the file sysfiles.inf in the USMT folder has some
> references to files that have been aliased to be hidden. The folder
> $WIN_NT$.~BT shows up but say that it is not accessible because it is
> too deeply nested. Virus scanner first scans the path
> C:\C\C\C\C\C\C\C\C\C\C\C\C\C\C\C\C\C but crashes and says it cannot
> enumerate the path. In the XMLprov.dll and Setuploader.bin files,
> there is a line between cdrom and device that says "worm", as the
> partition is being created, it has a line that says ..."Sorry, I
> wasn't talking to you!!!...insert 33 *00000". The previous 33 *0000
> repeats for about 20 lines. The next error says string unexepected
> string and length too long.
>
> When it first opened XP pro for the first time it said my copy had to
> be activated before I could log on. I think it must have been
> because the date somehow was set to the year 1792 (which is what the
> files on the PC indicate). The BIOS time however was set to 2099.
> Symantec license immediately expired and system would never connect
> to the server to register.
>
>
> Security Certificates were expired and many were unreadable (IE
> german or russian or unicode).
> Is it possible that if time-stamping is corrupted or changed
> drastically that it could cause the DRM software or "copy protection"
> to malfunction? I am not sure if a virus did this or a hacker.
> Anyone seeing this?
>
> Help
No, no I can't say that I've seen that nor have I seen anything like that
reported recently. You might want to go ahead and flatten that entire box
and rebuild it with a nice clean installation. However if you'd at least
like to take a look and see if you can clean it without having to go through
all of that (and really that box should be taken offline and rebuilt from
scratch with a complete format in my opinion if it's that bad) then:
Malware Cleaning :
http://kgiii.info/windows/all/general/malwarefix.html
I don't usually recommend a complete format if there's a way to avoid it. In
this case it's something to consider.
Galen
-- "Chance has put in our way a most singular and whimsical problem, and its solution is its own reward." Sherlock Holmes
- Next message: Malke: "Re: Removing "PCtuneup" spyware?"
- Previous message: Atlanta Jason: "Virus in DOS Upper Memory? Win PE ?"
- In reply to: Atlanta Jason: "Virus in DOS Upper Memory? Win PE ?"
- Next in thread: David H. Lipman: "Re: Virus in DOS Upper Memory? Win PE ?"
- Reply: David H. Lipman: "Re: Virus in DOS Upper Memory? Win PE ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
