Calling all virus detectives- help diagnose a system

[saurabhth]

My computer specs are AMD K62 500 MHz ,192 MB RAM running Win 98 SE version 4.10.2222 A. I have installed Avast Home user edition 4.7 with current version  of virus database being 0663-0. In addition to Avast The applications resident in system tray are Anapod Manager(an Ipod Management software) and Zone Alarm(A firewall).

My system has 2 hardisks. The first harddisk hosts Windows and Linux on separate partitions. The second hardidsk contains 3 Windows partitions(volume labels: Docs,Swap and Media) and 1 linux partition. In these partitions I normally store data like word documents,mp3 files.One of the partition I have assigned as windows swap.

The system has shown the following abnormal symptoms(in chronological order):
1. I visited 2 sites www.compareindia.com and downloaded a pdf from www.isb.edu. I used Mozilla firefox V2.0 to surf the sites.

2. After say a few minutes after step 1, I discovered that all my data files had been erased. There were only 2 Windows partitions left and the volume labels had been renamed to some unintelligible words.For e.g. the swap volume label was renamed as Swaq !!.

3.The swap partition now contained an unknown folder named Recycmee containing files with names in gibberish characters. The partition contained a copy of windows swap file under some gibberish name.

4. On launching MS Word I discover foll. problems - in first attempt MS Word seems to be stuck at the splash screen. After killing it and rebooting the system, MS word says it finds Normal.dot as corrupt and attempts recovery.

5. On rebooting I lost all my partitions on my second hard drive. I am unable to see any of the partitions in linux as well as windows.

6. The windows and linux partitions on the first hard drive remain untouched. This is a surprise !!

7. The Avast virus program has remained silent throughout this sordid drama. This is also a surprise!!

Please note that the only external access to the system was through internet. I did not use any sort of USB drive or CD/DVD.

I suspect the 2 sites to be the vectors of the "virus"

I need this forum's kind help in detecting the root cause of this anomalous behaviour.

Please help

 

[Lisandro]

I suspect the 2 sites to be the vectors of the "virus"

Well, I'm sorry for you...
Anyway, the sites seems to be clean.
Are you sure this is not due to an old 'ressurrected' infection?

[saurabhth]

Dear Tech,

Thanks for replying.

The system is a fresh install. On 2 earlier occasions., I have faced the same problem with some minor variations. The basic theme in all these occasions has been:

 1. Presence of unknown folders with names like Recycmee and gibberish file names
2. Unintelligible names of volume labels of partitions.
3. On rebooting the partitions vanish.

Every time I have freshly formatted the system and made new partitions.

Please help me in identifying the virus and its source.

[Lisandro]

Every time I have freshly formatted the system and made new partitions.

So, did you format the system after the incident? 

[saurabhth]

Dear Tech,

This incident is the 3rd instance and has happened today. I havent yet formatted the system. I am looking for plausible solutions,clues of diagnosing the problem.

1. Do you think a PDF can carry a virus?
2. Do you think even after formatting the system on last 2 ocassions, the virus may have hid itself in boot sector or so - pardon me for my ignorance ?
3. I have found it very peculiar that the windows directory remains untouched while my data which includes word documents,excel sheets,mp3 files all on the second hard drive have been erased. an it be that the second hard drive has some problem - say related to its geometry(CHS values) (Just a wild guess ?)

[DallasPCDoctor]

Sounds like malware that is deeply embedded on your disk(s). In this case before formatting I would personally take an extra precaution and wipe the drive clean with a utility like eraser58.

As "tech" stated it may be a piece of malware that is now just rearing its ugly head and has been set off with a command or set to "go off" on a particular date/time.

[Lisandro]

1. Do you think a PDF can carry a virus?

Generally not... I'm not a virus expert anyway...

2. Do you think even after formatting the system on last 2 ocassions, the virus may have hid itself in boot sector or so - pardon me for my ignorance ?

Did you format or did you install Windows after formating?
The Windows installation overwrite the boot sector of the disk. Only formating doesn't.

3. I have found it very peculiar that the windows directory remains untouched while my data which includes word documents,excel sheets,mp3 files all on the second hard drive have been erased. an it be that the second hard drive has some problem - say related to its geometry(CHS values) (Just a wild guess ?)

Beyond my knowledge... sorry.