Physically Hacked/Unknown Trojan!

Hi,
When you delete all partitions, you also delete the mbr. When you CREATE new partitions, the system 8mb is also created. That's what I meant by not touching it. But that does not mean the old one was not destroyed. It was.
Regardless, what you say sounds like a horrible mix of hardware and software issues. Maybe you can invest in a new machine?
Mrk

 

testing. oh never mind. I'll come back later. It is snowing here. I wonder if that is why I can't post more than five words.

B

 

Good Morning MRK,

or rather evening, now... TRYING AGAIN. GRRR... Everytime I tried to post my browser would stall out and I'd get one of those damn page not found errors.

Thank you for your reply.

BUY a new PC My son **just** bought me this PC *LAST* Christmas! The warranty isn't even up yet! If only I could figure out which way to jump with it. Hell, I haven't even had a chance to enjoy the damn thing yet! I haven't had a moments peace since I installed the freaking DSL!

If I could for sure jump on DELL, I would be jumping with both damn feet but they keep saying software, SOFTware, SOFTWARE! And before the warranty on the software ran out of course it was an expletive deleted malware issue so I was freaking arguing with Norton. Which is why I am where I am now, months later, with elevated blood pressure and a massive headache. Oh and let's not forget blaming it on my ISP who in turn says it's not THEIR fault but if I'll just buy their router, all my troubles will be solved.

Deep breath... there goes that blood pressure again.

My son, BTW, agrees with you. He says I've already put more money into it than he would have. He gets a great company discount and says we should donate this booger to his almer mater's PC Tech club and let them play with it. (did I spell that right? NO I did NOT! I do believe I am a tad bit tired... Pardon me, ONELOOK says, ALMA Mater. Sheesh... )

He gets a great tax write off and buys me a new PC with his Corporate discount and doesn't have to shop again this year. Plus that counts towards his yearly donation to the college. Triple win in his book. ;^) (why won't WYSIWYG work for me this morning?) I'm stubborner and more frugal than he is. He would say *cheaper* but I say he's just plain old MEAN! ;^> Besides, I want him to get me some shares in some of these anti-virus companies so I don't have to worry about how I'm going to pay the bills in my old age! ;^>

A little irony. One of the regular readers here sent me a private message and pointed me towards a thread that gave me a serious case of deja vous. It was made almost exactly a year ago. https://www.wilderssecurity.com/showthread.php?t=53281 She's as gabby as me, too. There wasn't really any resolution but it gave me some food for thought and will keep me busy for awhile.

A few more pieces to the puzzle. A trip to the DELL.com site enlightened me to the fact that this driver disk I have here has a diagnostic tool on it too. D'oh! I wonder why none of the love technicians I have spoken to over the past few months have ever brought that up? I used it. Most boring couple of hours I have ever spent. So far as it knowsa, my hard drive is fine damn.it.all.to.hell

fixmbr/fixboot in the recovery console does not work no matter whose directions I use. the machine just boots right back into the same old configuration even though it says I will lose everything on the hard drive if I go ahead with what you are doing. Tried it both ways 3 times. I are persistent.

FINALLY, I got really peeved and decided I would corner this ...ahem... whatever it took. I reinstalled and then took it step by step, recreating all the things I do to secure my PC to find out **WHAT I DO** that causes the RPC and other remote doohickey failure. I wrote everything down and after every adjustment I made, I rebooted. What a PITA!

But I figured I'd stick with it, if it took me all week. It took me all night. It's DCOM Launch. (I follow The Elder Geek's suggestions on what to disable in Services.) Just to be sure that that's the only the thing that does it, I re-enabled that and checked everything else out. Bingo! That's the RAT (figuratively or literally speaking)! So now I know. What do I do about it, now that I know?

Thank you again for your reply and for listening. This PC is my life. I'm disabled with an autoimmune disorder and sometimes there isn't much more than this PC to be a window to the world. It's pretty important to me. I really do appreciate everyone's time and whatever help and/or condolences/middle fingers :^*~ y'all can offer.

We're having a minor blizzard in the Upper Great Lakes. Happy Winter Everyone! Enjoy, all you snowbirds! It was a lovely view up here on the 9th floor.

Going to sign off and watch LOST now. Let's hope I don't get...

B

 

To OP I've scanned this thread. I noticed in post #22 you said

If you're having to download a pfw 1st thing then you're not all setup & ready to get on the internet. And will get slammed. If I missed something I'm sorry. Just trying to help.

 

Hello,
I wish I could see that computer. It really intrigues me.
I helped several friends build their machines from a scratch after massive infections and I never encountered a problem like that.
There is one possibility...
You bought a pre-built Dell machine, right?
What is possible is that in order to keep their configuration no matter what, it is possible that they hard-coded something into the bios or something similar. At work, for instance, I have an ugly hp machine that has hp bios, which will always load their ugly logo and a bit more. That's why I NEVER buy pre-installed computers, not even ordinarily setup machines. I like to install the Windows myself, without technicians doing whatever they like.
Still,
Even if the machine is doomed to play the Party record over and over, it does not mean it should give you so much trouble.
Following the advice I gave you, step by step (and NO tweaking services!), you should not have any problems.
Try it again, but only what I wrote.
Insert disk, agree to EULA, delete partitions (ALL), create new ones.
Install Windows, install firewall and anti-virus (keep copies on a disk!).
Update anti-virus.
Go to Windowsupdate, update all critical patches.
Post here. You should not have any problems.
If you do, don't do anything, post the specific problem, please.
BTW, you can also download Firefox browser and use it instead of IE.
Go with ZoneAlarm and AVG, for starters, that's firewall and anti-virus.
Mrk

P.S. Could you also do a HJT log?
You can download the HJT at spywarewarrior.com.
Run only a scan and send me a pm with the log.

 

Morning Mrk & zapjb,

Thanks for your replies. zap, I have WINX sp2 w/the lousy MS Firewall bundled in AND a freaking gateway 2 wire router on this machine. According to SBC (my account is flagged "treat the crazy woman nicely but get her off the phone fast"), what I am describing CAN NOT BE HAPPENING.

Mrk, I wish you could see this machine too. After what happened last night, I wish we could sit down over coffee and discuss this face to face. Then I'd have to cook you dinner while you played with my PC and then we'd talk some more. I have an incredible story to tell. I will take you up on your offer to PM you.

B

 

Hello,
How old are you btw
BTW, I am an excellent cook (oh yes ...).
Well, waiting for the news flash.
Cheers, out
Mrk

 

I found the source. It's on my Windows software and an old Corel word processing program I use. I ran it through Trend Micro. All of it is corrupted.

How do I submit this **** to someone?

Oh yeah, sorry Mrk. I'm an old lady. Older than dirt.

B

 

Hello,
Was joking about the age...
You found the source of what?
Mrk

 

this trojan. I just keep reinfecting myself.

B

 

Is this source disk a vendor supplied one or something casually burned by another user or small PC assembler?

Blue

 

Hello BlueZanetti,

It is vendor supplied--from DeLL and Corel. The Corel Disk is 8 years old and had the same cookies on it that the two Dell Disks I got with this machine had on them. Plus I borrowed my daughter's Dell Windows Disk because it has SP2 bundled with it and it had 2 of the cookies on it. No other viruses on hers. There were a lot more on the other three disks.

Here is the the Trend Micro report on my daughters disk (the others were horribly long):

Damage Cleanup Engine (DCE) 3.9(Build 1020)
Windows XP(Build 2600: Service Pack 2)

Start time : Mon Nov 21 2005 09:32:39

Load Damage Cleanup Template (DCT) "C:\WINDOWS\tmadce.ptn" (version 214) [success]
Dumping all support patterns...


Complete time : Mon Nov 21 2005 09:32:42
Execute pattern count(35599), Virus found count(0), Virus clean count(0), Clean failed count(0)

Damage Cleanup Engine (DCE) 3.9(Build 1020)
Windows XP(Build 2600: Service Pack 2)

Start time : Mon Nov 21 2005 09:32:42

Load Damage Cleanup Template (DCT) "C:\WINDOWS\tmvamain.ptn" (version 35) [success]
Dumping all support patterns...


Complete time : Mon Nov 21 2005 09:32:42
Execute pattern count(119), Vulnerability found count(0)

Damage Cleanup Engine (DCE) 3.9(Build 1020)
Windows XP(Build 2600: Service Pack 2)

Start time : Mon Nov 21 2005 09:32:48

Load Damage Cleanup Template (DCT) "C:\WINDOWS\tsc.ptn" (version 676) [success]
Dumping all support patterns...


Complete time : Mon Nov 21 2005 09:32:49
Execute pattern count(4535), Virus found count(0), Virus clean count(0), Clean failed count(0)

Damage Cleanup Engine (DCE) 3.9(Build 1020)
Windows XP(Build 2600: Service Pack 2)

Start time : Mon Nov 21 2005 09:32:49

Load Damage Cleanup Template (DCT) "C:\WINDOWS\tmadce.ptn" (version 214) [success]
COOKIE_45[virus found]
COOKIE_878[virus found]

Complete time : Mon Nov 21 2005 09:32:54
Execute pattern count(35599), Virus found count(2), Virus clean count(0), Clean failed count(0)

Damage Cleanup Engine (DCE) 3.9(Build 1020)
Windows XP(Build 2600: Service Pack 2)

Start time : Mon Nov 21 2005 09:32:55

Load Damage Cleanup Template (DCT) "C:\WINDOWS\tmvamain.ptn" (version 35) [success]

Complete time : Mon Nov 21 2005 09:32:56
Execute pattern count(119), Vulnerability found count(0)

Damage Cleanup Engine (DCE) 3.9(Build 1020)
Windows XP(Build 2600: Service Pack 2)

Start time : Mon Nov 21 2005 09:32:56

Load Damage Cleanup Template (DCT) "C:\WINDOWS\tsc.ptn" (version 676) [success]

Complete time : Mon Nov 21 2005 09:33:01
Execute pattern count(4535), Virus found count(0), Virus clean count(0), Clean failed count(0)

Damage Cleanup Engine (DCE) 3.9(Build 1020)
Windows XP(Build 2600: Service Pack 2)

Start time : Mon Nov 21 2005 09:41:06

Load Damage Cleanup Template (DCT) "C:\WINDOWS\tmadce.ptn" (version 214) [success]
COOKIE_45[virus found]
COOKIE_878[virus found]

Complete time : Mon Nov 21 2005 09:41:07
Execute pattern count(2), Virus found count(2), Virus clean count(2), Clean failed count(0)

edited to add: I don't know if cleaning the software means it is safe to use now. Or quite what my next step should be. Mostly, I'm tired and I just want to vegetate for awhile.

Another edit to than you for your reply. Sorry for forgetting my manners.

B

 

B,

No problem.

I would ignore the cookie flags - not a significant issue given the context.

Blue