Antivirus Software Is Destroying My Computer

Me, personally, if I wasn't able to edit the registry with confidence, I
would wipe the system completely and reinstall from clean media.

When I do a rebuild, as in wipe the entire computer, I just boot from
the Windows CD and go from there. Some vendors have special restore
CD/DVD media, but the instructions would be different for each vendor.

I finally got rid of it last night after three days. Since it wouldn't let
me system
restore, I decided to turn system restore off and the Antivirus Soft crap
just magically
disappeared and I was able to run all of my scans. My computer is now acting
normal
again.

Does that re-write the MBR and eradicate any malware hiding there?

The installer will rewrite the MBR if no validity marker is found.

And if there is a valid MBR that loads a valid rootkit...?

Best way to get around that is to "Zero out" or wipe the drive. There are
utilities that will do this like dban (Darik's Boot And Nuke).
Then a new MBR will be written. There is also the Recovery Console fixmbr
utility to rewrite the MBR. Generally if the OS is being reinstalled due to
virus/malware/whatever issues, then a MBR rewrite should be done. I just use
dban and be done with it.

Then I presume that Leythos' "wipe" wipes out the valid marker (he wrote
"wipe" and I know that he knows what that entails). If you just go to
install without wiping, the MBR might not be touched. Probably any
rootkit hiding code in the MBR would also have to have relocated some
MBR code to another area of the disk to function properly during boot -
so, this other area of the disk must also go untouched for the rootkit
to work.

I simply questioned whether or not you always replace the MBR.

You actually said "I just boot from the Windows CD and go from there".

No mention was made by you of using any facility to replace the MBR
although others feel that that is what you implied by 'wipe'.

Do you now confirm that you *do* always replace the MBR?

What's the point of "Wiping" a drive if you leave anything that could
contain malware?

You mean like flashable firmware? :oD

I guess BD overlooked the fact that you wrote both "wipe...entire..."
and "wipe...completely" in your post before even mentioning the Windows
CD. :o)

Didn't we have a discussion about this once before? It is impossible for
controlled malware to flash the BIOS ** - isn't it?!!

By all means take the p*ss, but I overlooked nothing. Leythos has
previously said that he is a 'professional' and I have no reason to
doubt that. However .....

Many *readers* of this group will be *less* than 'expert' at computing
and might well assume that using a Windows CD to re-install the
operating system is the *only* action needed to trounce malware. I most
certainly did many moons ago.

My question was posed simply to leave no doubt at all for any less
experienced folk that the MBR should always (IMO) be replaced when
'wiping' a hard drive.

I thought maybe you were thinking "format" while reading "wipe" which
are *not* equivalent.

Yes, i does bear mentioning that a "wipe" *should* invalidate the MBR so
that it will be rewritten when installing the OS.

Also, that the MBR should be replaced with the *correct* MBR which might
not necessarily be the one that the Windows CD thinks is correct. You
wouldn't want the Windows CD to stomp on grub or lilo if your system is
a dual boot system. You can reinstall Windows from a CD without
affecting the MBR as long as it is still marked as valid, but after a
"wipe" you would have to replace the now overwritten and invalidated MBR
with whatever is proper.

Master Boot Record

http://en.wikipedia.org/wiki/Master_boot_record

http://support.microsoft.com/kb/69013

An important step in cleaning out unwanted stuff (virus/trojan/worm/etc) is
to turn off System Restore.

No, not really.

I used to think that but, no more.

Having the System Restore cache working (many forms of malware disable or corrupt it)
allows one to have a fall back position when cleaning malware.

It is better to have a infected PC that's running than a PC that BSoD's or have some other
fatal problem.

After the PC has been cleaned you can dump the System Restore cache and subsequently
re-enable it.

I suspected that was what you meant, but why would "controlled malware"
be any different than any other malware with respect to the ability to
flash firmware. Also, it must be considered that command and control can
also mean that there is the ability to completely change the programming
of the bots themselves - add new functions or change it to a completely
redesigned node.

I think that most of the time that this was recommended was just to keep
antivirus programs from detecting the program files that were deleted by
the cleanup routine. So many folks were posting in the groups all
worried about malware being detected in "_restore" whatever it was and
being unable to deal with them directly. I assumed that this was done as
a purging *after* successfully removing the malware.

(some people conveniently left out the part about re-enabling it
afterwards heh heh heh)

Was there *another* reason to disable system restore *prior* to cleaning
up from an infestation?

Hello,
"Antivirus Soft" is a rogue spyware virus wich is a fake program using the
word ANTIVIRUS SOFTWARE to trap users. DO NOT PAY if ANTIVIRUS SOFTWAREE
popup on your computer asks you to buy this program. Remove ANTIVIRUS SOFT
from your pc as fast as possible. For removal tools and manual removal
instructions to remove antivirus soft,

I agree 100%. The thing is that if the malware is really bad it won't allow
you to restore back far enough. However, in most cases the malware has not
actually destroyed all the old restore points. You can restore by copying the
files manually.

Case in point was Monday when I had a customer where the restore program would
only go back 1 day. When I looked at the directories manually I found there
were about 50 restore points. I went back 3 weeks and restored and the
malware didn't load. I then ran MBam and cleaned out the crap.

I recommend to people to never never NEVER turn off System Restore. In fact,
give it at least 5% of disk space. You want enough clean registry copies as
you can get.

Not a virus!

Also, I believe, not spyware.

Can you back up your claim that this is "spyware"?

check control panel/internet options,proxy settings.