Help! Malicious Code on Win98SE and Win2K - Can Not Remove

[low1]

Hello,

I have posted this message in the MS C++ Programming section; since I could not find a "security" forum, I want to post here in case others have seen this and know (1) How to Remove it; and (2) How to prevent it from reoccuring (as Norton, McAfee, Trend, Black Ice, and Trojan Hunter find nothing).

Here's the symptoms:
- I have machines running Win98, Win2000 Pro, and Windows XP that have malicious code running on them.
- Removing the hard drive and installing with a brand new one does not remove it - I know this joker is writing to BIOS and Video BIOS (if possible) as well.
- This program puts copies of AOL30au, AOL30CA, AOL40, etc. in hidden partitions: the only way I have been able to see them is through a Hex Editor.
- Files that seem legitimate are now enveloped in the malicious code. For exmaple, your files look okay on a directory scan; however, they don't do what they're supposed to do.
- When I look at the code, I see all kinds of referrers to the BIOS and PNP.
- I can not delete all of the partitions. While FDISK only reports 1 parition, a hex editor shows three partitions. I see all sorts of files on these hidden partitions.

**My biggest clue my machine is infected: When I wipe the hard drive (either reformat, f-disk, wipe MBR via debug, etc.) and go to reinstall my Win98SE OEM CD, the machine will boot from the CD and start installing Win98 without any partition defined or a boot floppy. Also, on the first screen, it tells me to "backup my files before the installation"

Here are some of the lines from the autoexec, config, and a file called detlog.txt (all these files are from a Win98 Second Edition PC):
- Autoexec.bat
Echo off
Path=C:\windows;c:\windows\command;c:LH DOSKEY
C:\Essolo.com

- Config.sys
Device= C:\essolo.sys
Device= c:\windows\himem.sys
Device= C:\windows\emm386.exe RAM
DOS=High, UMB

- Detlog.txt
[System Detection: 08/23/99 - 11:51:13]
Parameters "J", Infparams "", Flags=01052023
SDMVer=040a.2222, WinVer=070E040E Build=040a.2222, WinFlag=00003c29
SkipList=
DetectList=
RegAvoidRes: UMB\0000
mem=cb5c0-cdedf (ffffffff:0:0)
RegAvoidRes: UMB\0001
mem=cdee0-cdfef (ffffffff:0:0)
RegAvoidRes: UMB\0002
mem=cdff0-cf23f (ffffffff:0:0)
RegAvoidRes: UMB\0003
mem=cf240-dffff (ffffffff:0:0)
LogCrash=crash log not found or invalid
LogCrash=crash log invalid
Estimated number of detection functions=350
Number of verify functions called=0
Previous OS version=0
Checking for: System Bus
CheckInt86xCrash=int 1a,AX=b101,rc=0
SetVar: PCIBUS
DetFlags: 40
Detected: *PNP0C08\0000 = [1] Advanced Configuration and Power Interface
SetVar: ACPBIOS=
Number of functions called=50
Devices detected:1
ConfigMG device=HTREE\RESERVED\0ConfigMG device=ROOT\NET\0000
ConfigMG device=ROOT\NET\0000:status=8000621
.
.
.
.
Checking for: Trident VGA Display Driver
QueryIOMem: Caller=DETECTTRIDENT, rcQuery=2
IO=3b0-3bb,3c0-3df

Last, these files are in C:\windows\command (and I know they do not belong):
cscript.exe 85k 11/5/99
pkunzip.exe 32k 1/24/94
sulfnbk.exe 44k 4/23/99
vide_cdd.sys 12k 3/3/99
xcopy32.mod 41k 4/23/99

Some files from C:\Windows\System
leshwiz.exe 76k 4/23/99
Inside Your Computer 38k (screen saver) 4/23/99
Internat.exe 28k 4/23/99
Lights.exe 48k 4/23/99
Leondardo da Vinci Screen Saver

Any insight is greatly appreciated!

Thanks,
Lo

 

[JLSigman]

Have you tried flashing the BIOS? Jennifer Sigman
1/2 of the IT staff (does that make me assistant manager?)

 

[MiklK]

Actually, Jennifer, i think that makes you half of a FULL manager - congratulations!
(A bird in the hand greatly interferes with typing.)
Mikl

 

[Mulga]

Lo,
I cannot be a lot of help on your problem but I can tell you this.

1. Your config.sys and autoexec.bat files look OK, certainly nothing sinister in there

2. The file detlog.txt is a standard Win 98 log file and looks normal.

3.The 3 .exe files in Windows\command are normal, as is the .mod file. Vide_cdd.sys is a CDROM drive driver file. The .exe files in Windows\System are also normal, don't know about the screensavers but this would not be unusual. All things are possible except skiing through a revolving door.

 

[doggammit76]

low1...this may just be a shot in the dark but it could hit the mark..who knows

1) has this machine been infected before with anything?
2) its kinda hard to find malicious codes that writes itself into the ROM sector. My guess is that maybe you could clean out the system (format, delete all partitions, fdisk /mbr) then switch it off for a few minutes (to kill of the ROM) then try again.
3) Last resort, maybe you could do a low level format on the harddisk. Of course, it should be the very very last resort.

I may be totally wrong with all these, but its just my two cents worth

Hope it works to some degree. Information is free....dont hog it!

 

[mainegeek]

low1,
Are these "machines" Omni Book Laptops??

 

[mrgl]

I don't really know anything, so maybe this is a dumb suggestion. . .

If you think the code is being maintained somewhere in the hardware, then after you do all the above, i.e. wipe the hard drive and flash the bios, but before starting to reconfigure everything and reload your programs, open up the case, and take out the little battery on the motherboard. You may even want to remove the motherboard and short all the capacators by placing it on a sheet of aluminum foil. This would remove all residual power sources that could be possibly maintianing code in memory.

I've never heard of anyone suggesting this but it might be worth a try.

Also, if you can find a way to do it, degauss the hard drive and do a new low level format before you repartition and setup.

 

[low1]

Hello All,

Thanks so much for your replies. . .

This is driving me crazy - I have been trying to figure it out for a while now. Here is what I have tried and still can not get rid of the code:
- Flashed the system BIOS
- Cleared the CMOS (via jumpers on the motherboard)
- Removed the battery for two days and left the machine alone
- Removed all cards (Modem, Network, and Video)
- Replaced the hard drive with a Brand new one
- Used a Hex Editor to see the "other" partitions
- Used the DOS debug command to remove MBR and supposedly clear CMOS
- Formatted, FDISK, I have done Low Level formats with IBM's Tools (one drive is an IBM) and another with Maxtor's Utilities.
- Used an old Norton Utils for Win95 to boot from, wrote 0s and 1s to the hard drives, manually destroyed the MBR and FAT tables. . .

I am getting ready to take the machine outside and run over it with my truck; no, it will not fix it, but I will feel so much better!! Ha! Ha!

Seriously, I am going to try the last posters suggestion. . .and since I posted this yesterday, I have heard that when you do a low-level format or use Norton Utilities or other related tools - they do not totally wipe out the drive. Has anyone else heard that the BIOS communicates with the hard drive and that there is a certain portion of the hard drive that you can not erase using these tools - you must use software that does not talk to the BIOS at all?

I am going to try all of the above again - removing battery, flashing BIOS, etc. tonight and tomorrow. Thank you so much for your suggestions - it's great to hear other ideas!

If anyone thinks of anything else, please post it!

Lo

 

[Wirdo]

You may want to get a clean startup disk, one that has never touched or came in contact with your infected computer. If the code put itself on your floppy then when you fdisk /mbr your just puting it back onto the mach.

Here is a link explaining why Cmos or Bios viruses are not exsistant (as far as I know)

http://softheap.com/internet/cmos-viruses_23.html

 

[zlito]

Ok there is a disk/program now from M/S called wipe out it will compleatly remove all partitions and tell you to repartition and format your drive. All CMOS related virus distroy the chip, the chip only holds a limited amout of info. Go to the hard drive web site and read about it. They have drive managers and tools to help you to compleatly wipe out any info on them. And after installing your O/S install any and all updates first then run any hex editors and checks befor accessing anything else. There may be something on another program or file thats doing this.

 

[tempo21]

if you have reformatted, cleared and fleashed bios i cannot believe any file remains. Maybe your problem is in hardware.... T3/\/\p()
tek-tips UK branch!
_________________

http://www.tempocentral.com

 

[eastsidesmalls]

Have you tried deleting the ghost partitions with Tom's Root Boot, or some similar Linux quick booter? Tom's Root Boot is "The most GNU/Linux on one floppy disk" and has a much better fdisk than Microsoft's.

You can find out all you need to know at

http://www.toms.net/rb/tomsrtbt.FAQ

and you can download it at

http://www.toms.net/rb/download.html

You'll need to know how to use the Linux fdisk. Here's a sort of useful primer:

http://www.slackware.com/install/partitions.php

If you've flashed the BIOS, cleared the CMOS, deleted and formatted all partitions, and the quirkiness still exists, then you don't have a computer problem... You have a possession and should contact your nearest Catholic priest .

Thank you for your time,

Eastsidesmalls