I have numberous drives currently down to Conficker downadup and just like the other respondents here have found that trying to remove the worm is tantamount to playing a game of chess. For each move you make there is a counter move. I won't go into all the counter moves I tried, suffice to say that all of the drives are now inaccessable to any intrusion at all including any remote online source. The curious thing is that I thought I was being real smart by keeping drive clones unattached and in the closet only to put them in one at a time and find they were also infected. I called some tech guys and asked if the virus could infect the BIOS in some way without just shutting it down and general response was that it could not do so...that the virus had to have been downloaded onto the cloned drives before storage, well over a year ago. Now, I am not sure that they know what they are talking about.
This virus did not click in for me on the 1st of April as microsoft announced (april's fool?), but rather on the 15th of April, tax day. At the time I acquired it I contacted a local computer shop and asked if they had any knowledge of it and the tech guy responed with kind of a snort that they hadn't seen a single case of it and knew nothing about it.
Two weeks later I stopped at the same shop and asked the tech guys the same question personally, and the response was that they have seen lots of it and once it shuts down windows you can only wipe and reinstall. They told me they tried every thing they had to break into it and unless you can get into safe mode or desktop to download an anti-virus snippet it could not be cracked by anything they had. I really think that no one is taking this as serious as it is. But this is where my problem no comes in.
I bought some ERD discs off of ebay and did manage to remove my document folders and photos to a USB ram stick, although I know not to try to download it anywhere until I am up and running and can scan the contents for the virus which may have been transmitted into it. So, for the moment there they sit.
At first I tried reformatting a drive with a fresh reinstall. The Windows installation folder corrupted at more than a few DLLs and upon looking at my OS disc I decided that maybe it had come into contact with something that had caused some corruption so I got hold of a fresh XP Sp3 OS disc. Same results. I figured that perhaps reformatting was skipping files at the virus command so ended up using Boot and Nuke off of one of the ERD discs and now that disc can not be detected. So I bought a software package from Data Elimators (basically almost identical to boot and nuke as it uses a minor Linux program to drive from) and that software has as of yet been unable to detect a drive to wipe. After tinkering around with it I noticed that upon Windows install I get corruption warnings on DLLs not downloading properly, but they not always the same DLLs which is a curiosity. I wondered if the virus had the capability to corrupt an OS disc by transmitting a command to the RW burner to corrupt it so I paid a few bucks for a CD ROM unit and disconnected all the burners. Lucky they still sold CD ROMs as they are almost an antique now. I tried the install with the CD ROM...same results. I had a small 80gb drive in the closet that had never been formatted or used waiting for an install in this PC I am writing on. I took it out and and tried to format and install in the affected PC with it being the only drive in the unit using a Windows Home Edition disc that had never been in the Pc and using the CD ROM and it snagged on the quartz dll. file and would go no further. I am convinced that the tech guys are wrong and that this virus has placed a code in the static memory somewhere that is installing to the drive during installation even when the drive has no information on it and is fresh.
Question is ....where is it hiding at?
The tech guys were adamant that a BIOS virus can only shut down the BIOS and not reinfect as the virus would first off have to know what BIOS chip vendor was on the machine to access it. So, if it is not in the BIOS, where else would it be. The RAM memory supposedly drains after power down as does the static RAM on the video card.
I know there is also some memory on the Pentium 4 processor chip as well, but I don't know what it holds on there. Anyone got any ideas before I end up trashing the motherboard? I know that the BIOS can be cleared and flashed but kind of hard to do with my knowledge level and from a second PC. I also read microsoft's information on renaming the installation file (also complicated, at least for me) but it seemed to indicate that the sysmtoms would be if it did not start installation at all. These errors on the installation folder do not occur until about 61% of windows is installed and since they are different DLL errors it leads me to believe that it is a timed thing thats occuring.