I got wacked real good x 3 (SOLVED)

[prehistoric]

Jerry,

Not a problem. I figured that out on my own. The last part was a descriptive term added on the web page, not part of the code.

Now, I just need to think of some way to get a lead on the corresponding binary file, or a checksum we can test.

You don't have to wait on me. With the ability to boot, even if it doesn't always work, you can go ahead with removing the infection.

[out_fisherman]

Between obxjerry's posts (3 bad computers) and
'prehistoric' posts describing HIS failures, I no longer know
what to think. I have gone back to the start of this thread,
several times, and still get lost before I get to the end. IMHO -
too many machines involved, mixing symptoms of one
machine with another, and then 'prehistoric' injects his failure
mode info too....NOT to sound condescending, however....I can
appreciate your troubles....and in my own ignorance maybe I can't
follow all the twists. Somehow, this is sounding more and more
like a COMBINATION of hardware/software trouble. Having worked
with/fixed PCs for over 15 yrs, I have never seen such a mess....
check with Guiness.....you might have a shot!
Hope I haven't Pi$$ed anyone off, but I am really lost trying
to follow all this....I want to help....but geez....don't know where
we are now....Oh but wait.....obxjerry - you said Puppy 431 boots
fine.....should rule out any hardware issues like memory...IMHO.

[prehistoric]

@out_fisherman,

Yep, this is a mess, but I've been through some really nasty ones. Compared with bringing up a new bit-slice processor design, while debugging microcode, this isn't frightening. Compared with connecting diodes to bus bars run at plate voltage in Whirlwind I, which a friend of mine remembers, this is safe, in the sense that it can't kill you.

Part of the problem is that old machines do accumulate problems, even if they keep (sort of) working. Then you get some deliberately malicious stuff which wipes out the things you depend on and exposes pre-existing trouble, in addition to whatever was there to begin with. Add in miscommunication, and lack of experience, and it can seem impossible.

I've taught troubleshooting, in a different context. There is a reason most material assumes only a single fault in an otherwise good system: dealing with multiple independent faults is just too damn hard for most of us. Also, disregarding falsified hypotheses is easier said than done. That probably caused you trouble in going over the topic.

One reason I have stayed with this is curiousity about how much was deliberately caused, and by what. From a commercial standpoint it would be cheaper and easier to build a machine around a new motherboard. Here's one source for boards which can use that processor and memory. Maybe, I relish the challenge (to quote a US President many want to forget.)

Booting Puppy via the boot floppy rules out many hardware issues. We still can't tell if the BIOS has been corrupted.

@jerry,

After checking around some places that keep old BIOS binaries, I have failed to find the exact version shown on that POST screen. This one may have left the factory between documented releases. This means we can't check your BIOS data before we flash. If you can boot now, and use the machine, you have to weigh the risk the flash may force you to replace that board. I am all but certain the BIOS for the AK75-EC is correct, and updated to fix bugs that were in yours, all but the last couple of letters match, and those probably reflect bug fixes. I can't promise this will work. If it isn't necessary, why risk it?

If you do decide to flash, here is the binary, and DOS flash utility, which I downloaded. Here is a link to instructions.

[Aitch]

Well, actually, there is a way to check before flashing, but it may depend on the functioning of the PC, as you need a running windoze setup [even 95/98 will do, but 2k/xp also]

see award biosagentplus, here

http://biosagentplus.com/?ref=1


My gut feeling would be to de-infect the hard drive/OS before worrying about the bios, as there may be other factors, and as prehistoric points out, it is possible to make a board unusable by flashing with the wrong code

not intending to undermine you, prehistoric.....

Jerry, can you clarify the functional state of the PC after changing the CD - did you re-try the puppy/other bootable CDs, and was there a difference to before the change?

Just elimination of problems, is all


out_fisherman,

sorry, but I'd have thought you would notice...there's already too many fish in this bowl

Aitch

[out_fisherman]

Aitch -

Never meant to be a pain - joined the thread on pg 2, and after
that was curious as to what this was. As an OLD hardware & software guy,
sometimes I am just curious. Crap like this used to keep me up at night....
since 1978. Once I found out what the problem was, I slept well.
I have always been the curious type...but I'll go away now....

Prehistoric - your wisdom looks sound....I'll follow the thread to see
how it all goes....

obxjerry - God Bless and good luck......may Linux be your future...
TM

[Aitch]

sorry fisherman, didn't intend to appear rude

Aitch

[prehistoric]

out_fisherman caused me to rethink some of the human and computer aspects of this mess. I woke up with the intention of eliminating one possibility.

@jerry,

This one is so simple and obvious, particularly to those with experience, that you may feel insulted that I ask. I apologize in advance, but it is necessary to clear up a doubt.

You have told us, more than once, that removing the battery did not change the behavior after the battery was replaced. Now, the critical question: do you know the battery is good?

[obxjerry]

Like moths to a flame we are being drawn into a black hole. I'm still on this because I'm having fun. There is no doubt effort outweighs potential gain here.

I am a huge stumbling block here. The only CMOS battery I've replaced gave me a error code instead of booting. The only check I could think of for the CMOS battery is measuring voltage. I have 2.4 volts and the battery says 3.0. I'll have to research my next step here.

The computer now boots Puppy without fail. As a noob to Puppy I don't know how to use that tool in my arsenal. More research for me.

The CD writer can't see the blank CD. From what I've seen online it's a common problem. Hopefully by trail and error I'll get that working.

As far as a way forward here, I suggest I continue independently. Due to lack of knowledge and time I am going to move at a comparative snail's pace. I am the type that will never say I can't do something, just that I haven't learned that yet. There is enough here already written to keep me busy/entertained for quite a while and likely come to a solution.

You folks are heroes, the few that run to danger when most run away. The help you've given means more to me than you know.

Take care,
Jerry

[prehistoric]

@jerry,

Replace battery. This will at least allow the computer to hold nvram (CMOS) memory.

Even a battery which shows 3.0 volts with no load may be bad. One which shows 2.4 volts is far gone.

This is one of the elementary tricks of the trade which makes technicians wish they kept an idiot child around to ask questions they forgot.

You can use a computer with a dead battery, if you don't have a good one handy, but you have to reset parameters to factory settings on every power up.

Good luck with your further adventures. If you don't want to make a fool of yourself in public, you can send me a PM about a problem.

Cheers,

prehistoric

[efiguy]

Hi Group,

I would like to offer these files for those that are learning Puppy Linux and still using windows.

Even after 25 years of vindos, it is still all too easy to kill a windows installation via experimentation, and I have damaged my multidude of Puppy installations also several times and had to reload and start over because of file and Xorg editing <;) (and not figuring out how to open the 2fs save file or an sfs file to correct the problem).
(At least you don't have to call Barry, etal for Authorization :0)

But for Windows, these might help,

Regards,
Jay

[obxjerry]

All fixed. See no data loss. Thanks to everyone.

Take care

[Aitch]

and the solution was....?

you can't just say it was fixed after all this effort, surely, a bit of explanation, in case anyone gets similar problems

Can you mark the thread as 'solved' by editing your first post, thanks

Aitch

[cthisbear]

" and the solution was....? "

The Puppy Windows fixits..Linux Fixits = FREE.

But your replies = INVALUABLE.

Cough up and be a sport mate.

Chris.

[obxjerry]

First thing is thanks to all of you. If it hadn't been for you and your advice, patience and encouragement I might have chucked them all.

All the machines were different. I didn't find the this is the virus smoking gun, . It's still not over. They're still acting odd. I didn't expect any of that.

The first computer is the one that would only boot a floppy, I made progress when I finally got the EBCD floppy. It got me to the point where I saw XP had a missing or corrupt system32\hal.dll file. Online said that could be a boot.ini or BIOS problem. I used a XP disk from another computer to do system console repair. When I booted it I hadn't put in the SBM floppy but it booted anyway. I tried several ways to fix boot.ini but all said they failed. I saw online it was possible to install XP alongside what was there and use that to boot and access your OS and files. They call it slipstreaming. I didn't have room on the hard drive for that. I finally found a site that, added to what I had tried, said to use chkdsk /r. That worked and I started virus scans one after another but didn't turn up much. Nothing that stood out. I did change the CMOS battery first thing with no change.

Next computer was the one that booted and ran Kaspersky Rescue Disk but would freeze part way through. Then it wouldn't boot the disk so I shut it down. When I started it I put in the Avira AntiVir Recuse Disk. It has always caught the boot CDs that way before but it skipped by it and booted XP just fine. I had a plan B and went right to TrendNet and ran House Call. Lots of threatening stuff, nothing that stood out. I ran other virus scans. I made no changes to boot sequence and now it boots the CD. After everything had calmed down to where I would allow more than one computer on my net it had a IP address conflict. That's the first time that has happened.

The third computer is a ME/Puppy that was running slow then wouldn't boot ME before it got shut down. Starting up, it skipped the boot CD and I booted it into Puppy, no problem. I rebooted, it skipped the CD and after a loooong time it booted ME. I started running virus scans one after another. I found some stuff but nothing that stood out. It does boot from CD now but it's not quite right. It has been running Avast 4.8 antivirus and that's been acting strangely. Puppy doesn't seem to be just right either.

All of that was in a marathon session Saturday. Sunday I finally let the 98se/Puppy laptop boot W*****s. It was slow to boot (nothing new) and behaving oddly. It seemed to be having a problem with Avast. Avast seemed to be using most of the CPU and I got a window asking for a license number I don't have and saying I needed to update from 4.8 to 5.0. I shut Avast down and ran other virus scans. I didn't find much. Back to Avast, 5.0 system requirements don't include 98 or ME. They said AV for the old OSs would be over Jan. 1 and I figured they finally did it. The only free AV I could find was ClamWin so I installed that I've never used ClamWin before. It came up with a WIN386.SWP permission denied (odd?) and a phishing file.

Yesterday evening, on the laptop, I was removing all of Avast and noticed I still had the setup for 4.8. I ran it and it gave me a 60 day subscription. It's still running W*****s slow but that's why it was in the closet for years. It's fine with Puppy.

The problem I was having with the external CD burner was Puppy 421 can't run it. I found a thread where BarryK says it won't. The laptop won't run 431. My old image burner of choice, InfraRecorder, couldn't see the blank CD. I found the problem several places online but no solution. In desperation I tried a different burner program, ISOburner. After I found out you don't run the program and find the file, you just click on the file and on the drop down click burn image, I was good.

The only W*****s computer that has been rock solid is the laptop with the firewall. I've never used a firewall before but I see them in my future.

I wrote all of this yesterday but somehow lost it before I could post it. Sorry I've been slow.

Thank you all very much. I know you'll understand when I say I hope I never have to do this again.

Take care
Jerry

[obxjerry]

I thought of things I should have said. Since the laptop doesn't have a floppy drive, if it has the same virus it didn't get it from a floppy. It was slow before. That's nothing new. I have no explanation for the Avast quirkiness. The 2 XP machines are running Avast 4.8 and show no problems with it.

Avast did turn up a JOKER Fake AV-CX file on that laptop. That was by itself and I don't know that I've seen one of those before.

I've run dozens of scans in the last few days. All the other files the scans caught were things that looked very familiar.

I asked my son again yesterday if he had any ideas as to where he may have picked up the virus in the first place. The only thing we could come up with that was new and different was he had been to Olympic athlete websites. His computer didn't have much that the scans found and he said he didn't have time to run any before it went down. He hadn't used floppy disks and his flash drive he uses to back up or store files. It stays with his computer.

I've got nothing but I'm still thinking.

[Sylvander]

1. " It got me to the point where I saw XP had a missing or corrupt system32\hal.dll file. Online said that could be a boot.ini or BIOS problem"
(a) That would normally be true if you were using the HDD boot arrangements, but it's NOT the same when you're using the Universal Boot Floppy [UBF].
i.e. You're not using the HDD boot arrangements [MBR & boot files on the HDD]...
You're using the floppy boot arrangements...
Including the 3 boot files, one of which is the boot.ini on the floppy.
Hence if they don't work, you don't blame the HDD boot arrangements.

(b) You need to know:
WHERE the Windows folder is located [which partition?]
And...
What is the NAME used for the Windows folder [WINDOWS?]
So you should use SOMETHING [A Puppy?]...
To browse the partition holding the Windows folder and note the name used.

(c) Then you need to check the contents of the boot.ini on the floppy and edit if necessary, so as make sure that the code is correct.
Usually just checking the name of the Windows folder is correct.
Here's the important code in my copy:

Code: Select all

default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINNT="NT, First harddisk, first partition" /sos

Notice my Win2000Pro folder is named WINNT.

(d) You need to try all 8 partitions.
Did you?

2. " I finally found a site that, added to what I had tried, said to use chkdsk /r. That worked"
(a) So the problem was a corrupted partition file system, right?
That's why the UBF didn't succeed in booting Windows, right?
And WinXP [on NTFS partition file system] was now booting, right?

3. "I started virus scans one after another but didn't turn up much. Nothing that stood out."
(a) How about running a Puppy from a CD, with a pupsave on a Flash Drive, with Avast! Antivirus installed, and scan the Windows partition whilst Windows is dormant?

(b) Or go to www.pcguide.com/vb and ask for help in scanning for infection.
There are people there who are VERY EXPERT and well practised at doing this [Windows users get infected and ask there for help to disinfect very frequently].

[obxjerry]

Sylvander,

1. It's been awhile but I'm pretty sure I got further than you think I did with the Windows Universal Boot Floppy. There was no doubt Windows was one and only disk, one and only partition. The first option got the missing or corrupted <Windows root>\system32\hal.dll file every time. I hoped it might find it the fourth or fifth time. I really think I got to the HDD. The other options were a definite no go. I didn't try all of them.

2. I have no idea what chkdsk /r did or what it did it to. I know it checks the disk for errors and repairs. Everything else (trying to repair boot.ini) I tried came back with a failure message. Chkdsk /r ran for awhile and showed one repair then I exited and booted right into XP with no aids.

3. My plan was to boot into W*****s and do nothing but run virus scans hopefully finding and controlling the virus. Are you saying I still may be able to find what the virus was? I'm thinking what I have now is damage left by the virus and not the virus still working.

[prehistoric]

Jerry,

I strongly suspect there is still something in your system(s). It may not be "the" virus which caused the damage, but the likelihood of something providing an entry point for malware is pretty high. I think your son's suspicions are reasonable.

Sites which are topically popular for a short time, like the ones connected with the Winter Olympics, are especially good sources for malware distribution. Manipulating Search Engine Optimization can steer people places they never intended to go. Things like cross-site scripting can hit you even if the main site is pretty secure. There are tricks which will cause most eyes to glaze over if you explain exactly what is going on. Nobody can stay sane and constantly worry about them while doing other things. You have to trust somebody/something. This is where the toxic stuff gains entry. After that, a wide range of consequences may follow.

Here's an example from a "service call" I made today. (The quotes are because I am not really in business, and don't accept money. I also don't advertise that I can fix W*****s. Part of the reason I don't promise is that I don't know how much longer it will be possible to keep such systems functioning. I always use the opportunity to show Puppy in action. Today was no exception.) This is close to a worst case.

First problem, can't boot into anything except a damaged XP system. Once in that system, can't use the Internet. Attempts to boot Avira rescue CD fail. Can't mount USB flash drive to extract Spybot S&D. I drop back to my super multi-boot floppy, and use it to boot up Zigbert's Stardust 013 on CD. This is basically Puppy 4.3.1, with all the known bug fixes, plus a nice new look and control center. Among those fixes is one that allows F-prot scanner to install and update properly.

I set up Stardust 013 on the machine, connect to the Internet, update F-Prot, mount the XP partition, and scan it. Lots of problems, some with file system, some with scanner, but also a number of known pieces of malware. The important ones affecting my ability to fix things turned out to be: reboot.exe, registry-first-aid, a downloader, and a Trojan named dropper. Norton Anti-Virus was installed, but protection had expired. It had then been infected itself. (Black hats are targeting popular security software which has expired. Once they see what the update accomplishes, they know about a vulnerability. There's always someone out there who didn't maintain protection.)

Once I have the first crop removed or renamed, I can go back to booting Windoze. There follows a long series of operations to remove things which may be legitimate, but are impeding analysis. HP Imaging Software keeps trying to update things that are not vital. So do Adobe, and Apple. Registry First Aid gets removed, but not without a fight. Norton goes, since it isn't doing any good.

I install Comodo Internet Security (free download) because this machine has an Internet connection which transfers about 1/2 MB/s. (After various malware definitions are added, the total size is around 135 MB.) I also install the most critical missing W*****s updates.

Next, I run a scan using Comodo. This goes on for several hours, turning up another 19 threats; most are real. Some got in through unpatched vulnerabilities in M$ Office, some through Netscape 7.2, some through IE7, and so on. I install even more Windoze updates.

While the slower operations are running, I uninstall a variety of things that don't serve any present purpose. With the latest and greatest java run-time environment, and Firefox 3.6, we probably don't need half-a-dozen previous versions and older browsers. I run Comodo System Cleaner to straighten out the registry left from all the previous operations. It fixes 400 errors.

At this point I'm ready to run Trendmicro HouseCall as a cross-check. There's a reason for this high level of suspicion.

Commercial malware is a paying business which runs QA checks to make sure new products will be missed by most scanners. If 30% of them catch it, it fails, and gets sent back for rework. This tells me that having found a dozen real threats, not just some security company hyperventilating about threats, I can be almost certain there will be some missed. (If I am in doubt about which are real, I can submit files to competitors for analysis.)

A second angle is that new malware often uses old malware as a payload. You can remove the old threat without suspecting it was put there so you would find something besides the program which infected your machine. While the payload is working, it uses tried and true methods of extracting money from the opportunity. The criminal doesn't have to create any new infrastructure to support it.

Anyone can tell me this kind of work is uneconomical. If I wasn't especially curious, I wouldn't waste my time. I have an answer to the problem which satisfies me. I'm still waiting for the rest of the world to catch on.

p.s. the battery on that motherboard was dead, too.

[Sylvander]

1. " The first option got the missing or corrupted <Windows root>\system32\hal.dll file every time"
Which means there WAS a problem, something external to or beyond the HDD boot arrangements.
This might have been a wrong name for the Windows partition in the floppy boot.ini file...
Or a problem with [access to?] the Windows folder or its contents...
e.g. The one it turned out to be = the Windows partition file system.

2. "I have no idea what chkdsk /r did or what it did it to"
It scanned all the partition file systems it could find, and fixed/repaired any faults found.

3. "booted right into XP with no aids"
So ONE problem found and fixed.

4. "Are you saying I still may be able to find what the virus was?"
Yes.

[cthisbear]

As a last resort ComboFix is mentioned on Whirlpool forums.

http://forums.whirlpool.net.au/forum/10

////////////////

Once again I cannot speak too highly of the Falcon boot cd.
Not an MS fan but this has a live scanner...updates itself..
probably Windows Defender.

Used System restore on a Vista laptop yesterday..>perfect.
Stops autoruns etc.

http://thepiratebay.org/torrent/5283510 ... s_9.9__ERD


He's just released a 50 meg special...no ERD

http://thepiratebay.org/torrent/5373232 ... _Kon-Boot_

This bloke is good.

////////////

The Avast Bart boot cd does not like less than 256 megs ram.
Better at 512. So running Avast in Windows can probably have issues.

Again...try Hitman Pro...and the one time fix.

//////////

Sometimes though.. you need to re-install.
But use driver magician lite to back up the drivers.
Runs off most windows rescue cds...Ubcd4Win etc.

Chris.