New
#11
Can I get rid of a mystery partition?
-
-
New #12
There's a utility that can clear hidden sectors in a HDD and reset the entire drive to factory default, but as far as I know, it's not possible to reallocate hidden sectors to a mounted HDD in the first place, which eliminates any known malware as the cause, however if the problem is what I think it is, not even throwing away the "infected" HDD and replacing it with a new one will solve the problem
-
-
New #14
Thanks madtownidiot, I'd heard the same about Dell and their BIOS fixations -- I suppose the reason I'd never even taken the time to learn how, though for the most part I'm very comfortable working with a PC's hardware and software infrastructures. And thanks also for taking the time to look up the current Dell version, yes mine is current.
Nothing appears suspicious in BIOS Security, though there may be some customary settings not even shown which I wouldn't know to be missing.
Admin Password -- Not set
System Password -- Not set
Password changes -- Unlocked
Execute disable -- On
All factory defaults.
But an option to actually disable the security -- no, not if I'm understanding you correctly.
I do know that these settings are as they've been since the machine was new, and not the least trouble for years. Process rcpnet.exe is not listed on Task Manager nor any of Sysinternals apps, and I'm not (yet at least) finding it in any computer searches, all files set to shown.
I must say, I feel at last vindicated by your saying that, at least going by your best suspicions, replacing the HDD would likely not fix the problem. Not that I know terribly much about it, but all of my efforts at fixing the thing had pretty much led me to the same conclusion -- despite having been told by the security experts on those forums that "of course it would, otherwise you're just chasing ghosts". It seems that it's only scans and logs which concern them ... though to be fair they're only looking for malware, when evidently this may turn out to be at least partly hardware-related.
One comment though I have on your last post (may be relevant or not), there are more than enough persistent symptoms of malicious activity to pretty well convince me that it's not solely in the hardware, after a few days anyway as the problems inevitably become more pronounced. Not meaning to imply that I've accepted that as a fact, just wanted to run it by you. Anyway, at last I'm getting some good info, from all of you. Thank you.
So the old 410 is all reset with a clean Windows 7 install and ready for running the gauntlet of all of your suggestions in the morning. Too early to tell of course whether or not it will begin clearly showing signs of being up to its old tricks, though I can say already that it's not running like a clean install on a zeroed-out HDD. This will be very interesting.Last edited by papilio; 01 Oct 2010 at 07:14.
-
New #15
-
New #16
What would be missing is a computrace setting.. if it's no longer visible, that means the computrace chip has been permanently activated and can't be disabled. It's not malicious, and can be isolated with a good firewall. however, if reflashing the BIOS doesn't clear it and deactivate the module, there is no known way to get rid of it. In dealing with primarily laptops, I've only seen this one other time and it turned out the laptop was stolen... not saying that's the case with your computer by any means, because accidentally activating the security chip while playing with bios settings is a non-reversable mistake...
-
New #17
karlsnooks, thank you for the link, I did give it a shot, but just as madtownidiot has been saying it didn't bring back the missing setting.
Lemur, thanks, that's a great freeware utility! Unfortunately, just as with all of the other HDD utils which I've used except for Killdisk 81h did not show up.
Though this appears to be a lost cause, out of curiosity I'd be very interested in a link to where you found such info as "All sorts of information on 81h, and all conflicting." Or if it was through googling, what did you enter as your search query? Merely 81h didn't bring up anything which I'd call illuminating.
And thanks Jaxryley, I have used GParted previously to search the disk, no indication of 81h there either.
madtownidiot, thank you so much for all of your help.
Just to be certain that I've followed you correctly ...
> I have the current BIOS, so it cannot be flashed (at least until a new one comes out, if one does -- as I'm sure you know this one is quite old).
> No malware is capable of infecting the 81h hidden sector.
Could you describe for me the symptoms of having this problem with the machine?
Also, as it's not malicious, what the advantage would be of dealing with it via my firewall, and if you think that doing so would help could you point me to a link with instructions for doing this?
I'm currently using Webroot as my primary realtime and on-demand scanner, in my experience it detects far more malware than anything else which I've tried and so far none of them have appeared to be false positives. (When every other scan had shown the system as clean, TEMS did repeatedly report finding evidence of high-risk malicious activity in the memory heap which was quite possibly that of my culprit(s), but of course that's not much help in actually finding the malware -- though I am aware that TEMS can in some cases be prone to false positives.)
But as Webroot's firewall was less than impressive that's been disabled and I'm using ZA for my firewall instead, which I very much like. It has so far proven to be the most effective of those I've tried, together with my Belkin wired router, at keeping things out. My problem, malware-wise, primarily seems to have been difficulty keeping things in, not calling home and perhaps holding ports open for their cracker parents. This though would be malware which has yet to be detected by any scan (except possibly TEMS), so I'd pretty much assumed it to be a very good rootkit (as Lemur initially suspected) -- one somehow capable even of surviving zeroed HDDs and clean installs. My assumption of its being the same malware always returning is due, first of all, to the fact that malicious activity inevitably shows up again after each clean install during the period which, as I've mentioned, my machine has been quarantined from outside influence, and secondly, the symptoms of malicious activity strongly appear to be identical each time.
And madtownidiot, love your signature -- I whole-heartedly agree, with great annoyance.Last edited by papilio; 01 Oct 2010 at 00:37.
-
New #18
Still not absolutely positive you have the problem I think you do, but if you have an activated security chip in your computer.. it will do pretty much as you described.. create a hidden partition in your system for the purpose of downloading and reinstalling Lojack.. even if it has never been installed ..
In addition:
In task manager there will usually be a process called rpcnet.exe and in services will be a "persistence module" which can't be stopped or disabled, which serves to reinstall the antitheft software in the case of hdd formatting, or replacement.
On further reading, Reflashing the bios would not have even worked. Your computer model# wasn't listed in the computrace website but that really doesn't mean much because Dell sometimes installs whatever parts will fit, including motherboards when the specified component isn't available.. and the xps 410 has an identical motherboard to several other models that were listed
There's really no way to get rid of it.
What I would recommend
Replace Zonealarm with comodo,
If you don't have the rpcnet process, look for a persistence module in the services tab. Right click on it, select go to process(es) and locate any files that are highlighted except for servicehost. then set the firewall to block all connections from those processes, and mark them as untrusted. That will at least keep it isolated. There isn't anything more you can do.
-
New #19
I like Zonealarm but I like Comodo too, so I'll happily make the switch you recommend, on both computers.
Considering the absence of the computrace setting in the BIOS (even if not inherent on the XPS 410), plus other factors which you say seem to fit, yours is definitely the best diagnosis which anyone has yet suggested in all this time. I may also have found something similar to what you read ...
On the Computrace site:
"BIOS persistence is the most comprehensive option, defeating virtually every action that could remove the Application Agent from a device including if the BIOS is flashed, if the device is reimaged, or if the hard drive is replaced."
You'd hardly believe how relevant this sounds.
It's been nearly six months that I've been putting so much energy into attempting to clean this PC, time to call it quits! I really love the 410, it's served me extremely well. The new computer is not so good in fit and finish but hopefully that's just cosmetic. In any case, as long as the 410 is not my primary PC, I can live with its problems.
I can't believe how difficult and long it's taken to finally get truly sound and very knowledgeable advice and information, so thank you all very much!
papilio
.Last edited by papilio; 01 Oct 2010 at 06:21.
-
New #20
I found this, which may be a more effective way of dealing with it. The more research I do on this, the more annoyed it makes me that Dell and other computer companies foist this on unsuspecting customers.. some computers models don't have the option to not include lojack in at least a trial form.
Quote
Related Discussions