HELP I want control of my PC again

I have a nasty virus. It loads with a fresh copy of windows on a newly formatted HDD. I used 2000 Pro OEM, XP and XP betas and it showed up on all of the OS's. I bought a new hdd and a fresh install, still there. It shuts down any anti-virus, or uses it for additional internet connections. This is on a Dell Latitude C840. I flashed the bios before these installs also. It did re-write the firmware on one of the hdds. Dell swears it's not in the bios. Microsoft could give a **it less. It replaces dll's with its own, makes connections on the loopback address and my regular static IP. It uses NT 4 and updates itself for that. The registry is constantly changing. Any permissions I make are overwritten or not even saved. It basically is a zombie. The firewall shows its on, but its not. Permissions are granted for full access and the checkboxes are not showing that. Any process I am able to stop starts right back up. If I disable remote access and reboot, they are disabled, yet running. It is keylogging me, it put the IE history everywhere, I installed firefox and my history goes into the IE folders. It saves everyuthing I do and sends it away to God knows where. I have fought this for a week now. Any online scan shows it clean, as I watch the CMD screen flash as a new batch process begins. I cannot do anything for fear of identity theft. Someone already has all my passwords. I had ewido spy sweeper spy doctor, zone alarm and they all either turned on me or stopped functioning altogether. I just got Process Guard a few days ago to try to stop it from phoning home. I have no Idea how to get this off. My laptop is going to be a frisbee soon. PLEASE HELP! Otter

 

Hello and welcome to Wilders.

For starters, if you are formatting your hard drive and re-installing Windows from scratch, then you are getting rid of the infection. If it is appearing again, then it is being redownloaded or re-installed. ALso I have to ask, what is the name of this virus, or what processes do you see running that give you indication of an infection?

I have to ask what all programs you are installing (including chat programs, toolbars, games, screensavers, etc..) because there are a lot out there that are not good even though they claim to be.

My recommendation is to keep your computer disconnected from the internet all together until you have Windows re-installed after a full format, not just fdisk. Install your anti-virus, anti-trojan, firewall, etc...
Then configure them for max protection, shut down anything that does not need to be starting up and running and Then connect to the internet and get your updates.

There is no way a virus is hanging around on your hard drive waiting for you to re-install to launch again if you have cleaned your drive several times. There is no virus in your BIOS that would do what you are referring to.

 

Hehe, +1
My guess is it's a cracked copy of Windows with the virus already burned onto the cd, or additional software getting installed with windows from a slipstreamed cd that is infected.

 

Wow, Otter11:

I could have written this myself. It appears the only differences between your problem and mine (unless you forgot to mention it in yours) is that I appear to have a 'Bloodhound Virus' on my MBR that apparently cannot be removed. At first I thought this was a Norton Ghost (as defined by the Symantec website); however, given I can't seem to get rid of my voyeurs, no matter how many times I restore my system (26 factory restores since 13 Jan 06) I have no doubt this 'Bloodhound' has been lodged there by them.

Additionally, the buddies who have attached themselves to my system like the parasites they are have password protected several system32 and dll files against me as well as Windows Messenger, so I can neither access nor delete them. They also have me locked out of OS and Safe Mode.

I have no technical advice for you (although if anyone has any for the both of us, please share!), but here's what I have had to do: get the police involved. Additionally, I plan to take civil action against these jerks for invading my privacy and for ruining my equipment. Some of them have even had the gall to break in to my residence and then post about it in another forum.

I have had some luck in picking up viruses and keylog programs they have installed, but it makes no difference; they're still sitting there, with their little remote program (Remote IPC$) blocking my web page access, corrupting my security and password cracking programs before they're even downloaded, and so on. The viruses I have managed to pick up were through Windows Defender (Rivarts.A) and Zone Labs (Trojan Dialler, Perfect Keylogger, and Type Recorder). Like on your system, my guys are using a loopback connection along with spoofed and masked IPs (0.0.0.0) to continue their cracking antics.

I have been assured, though, that, while it may take longer to investigate these types of crimes, ultimately the culprits are caught, so hang in. You'll likely have to get a new system and give your current one up for scientific research, unfortunately

One person suggested you might have a crack program already installed on one of your restore disks. I know mine came with the laptop, but I now wonder if these disks were write protected, and if whether these idiots actually broke in to my residence to write a virus right on to the disk. This is something I will investigate further, so thanks for that suggestion.

 

I think I have similar problems maybe already for more then 2 years and not only on one PC, also on a secondary one. This must be manifested in hardware.

See this screen, using linux cd to check unknown components:

http://i1.tinypic.com/ofwuhg.jpg

@Capp: formatting and erasing mbr, even flashing the bios will not help, I did all that.. I also bought a new Harddisk... this won´t never solve the problem.

@Slovak: save your scorn for yourself, I have a super original Win XP PRO SP2 CD and still have similar problems!

This kind of virus rootkit digs so deep, it modifies each process, each exe. Maybe it manifests on VGA Card or flashing components or the mainboard (atabus??)?? Sounds crazy but nothing is impossible. The most real explanation could be a file infection system of some other software components.

My experiences concerning this nearly invincible malware is that most IPs came from Russia in my case, also some of China, Iran.