Re: Is this a virus? Nasty enough to be...
From: cquirke (MVP Win9x) (cquirkenews_at_nospam.mvps.org)
Date: 04/12/04
- Next message: <\\~Virus Guard~./>: "| To all Mac/OS users |"
- Previous message: Rajesh Nahani: "RE: Gaobot virus"
- In reply to: Phil Weldon: "Re: Is this a virus? Nasty enough to be..."
- Next in thread: ttvp: "Re: Is this a virus? Nasty enough to be..."
- Reply: ttvp: "Re: Is this a virus? Nasty enough to be..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 12 Apr 2004 12:22:24 +0200
On Sun, 11 Apr 2004 23:13:52 GMT, "Phil Weldon"
>If you intend to solve this problem, you need to concentrate on diagnosis
>and a step by step plan for recovery. I know it seems that you are being
>asked VERY detailed questions, but that is the nature of computers.
>EXACT descriptions really are necessary for differential diagnosis.
Yes, the upside of GIGO; potentially, non-garbage in, non-garbage out
:-)
>I really think the signs now point to some hardware problem, rather than
>just corrupted system files. Try running some hardware diagnostics from
>your Windows 98 installation.
It does sound hardware, but could be sware. We seem to be looking for
something that happens only after logon, but always after logon to any
account. That suggests one/more of:
- hardware that only comes into effect after logon
- peripherals activated and polled by post-logon sware
- SVGA if post-login resolution etc. is higher
- sound issues (AFAIK no sound until logon)
- software that only comes into effect after logon
- malware via post-logon startup axis
- code broken by av cleanup (look at av logs)
- code broken by bad exits and AutoChk (wade thru event logs)
- other crummy software
You can slice and dice this in various ways, starting with Safe Mode
(uses SVGA settings as mild as the logon prompt, suppresses startup
axis) and MSConfig suppression of startup axis (if works, then
re-enable startup items until it breaks again).
Note that screen resolution is system-wide, so will affect all user
accounts equally. Try setting lower resolution from Safe Mode, then
retry; perhaps your SVGA has some bad RAM that's only accessed in
higher res. Memory testers can't test that.
Try disabling sounds, in case that's it, and in Device Manager you can
try setting non-essential devices to "[x] Disable in this profile".
If you do this, you don't lose drivers and settings, don't prompt PnP
redetection, and shouldn't cause Windows Product Activation to lose
"lives" that might be associated with the device.
So in essence, you use the above tactics to exclude hardware causes,
and MSConfig to exclude manageble software causes. Software designed
to defy your management - malware - you'd have to chase harder.
>What you CAN do now, to get access to and preserve your data, is to do a NEW
>installation of Windows XP Pro on another partition. That will give you
>access to your files, but not your programs.
I'd rather avoid writing to HD on a known-dubious system for now.
>"ttvp" <ttvp@cox.net> wrote in message
>> For lack of a better term, Jesus Christ! You certainly are in-depth.
Yep :-)
>> I'll try to respond as accurately and as completely as I can. This
>> certainly looks to be a long thread, so lets get to it!
I'm game (but don't shoot me, even if it is hunting season)
>> > Let's have some better terms there <g> ...was it:
>> > - distorted at a pixel level (sware derangement)?
>> > - distorted at an analog level (bad monitor)?
>> > - black, with LED indicating suspend mode (power mgmt)?
>> > - other?
>> I believe I answered this question as best as I possibly could in a
>> previous post in response to the same thing. If your newsreader didn't
>> get that post, let me know; I'll paste it in.
Yes please; I don't have earlier posts in my view of the thread
>> > >I hard-rebooted the PC
>> > Kinder would have been to blind-key your way to shutdown.
>> I did think of that, and I actually tried to blind-key it. However,
>> without having done such a thing before, I really had no idea what to
>> press. Oh well.
It's a bit tricky; I've learned Ctl-Esc, Up, Enter, Enter but that may
not work in XP as the UI is different. Also, you may have to step
over unseen "Are you sure?" or "Save?" dialogs, so it usually becomes
PLOKTA (Press Lots Of Keys To Abort). Good guesses are Ctl-C (to kill
DOS apps), Alt-F4 (to kill Windows apps), Esc (to dismiss modal dialog
boxes) etc. Press the Caps Lock and watch the keyboard LED; if it
doesn't toggle, then system's either out or it's dead (locked up).
Wait for HD activity LED to go out before hitting the big button.
>> > >once the desktop finishes loading, black screen, computer starts up
>> > >again from the beginning, with no warning.
"No warning" means it's not an RPC failure or other "nice" (handlable)
error, pointing to hardware or low-level crash. That you see the
desktop suggests less likely SVGA. Do you hear sound?
>> It does the same for every account, even the hidden admin.
Points away from some, but not all, startup axis invaders.
>> > >The only way to avoid this is to run in safe mode, which I am doing.
OK; that's nice as it means it's not uber-core OS code that's broken.
Next is to try MSConfig etc.
>> > OK. Safe mode isn't always, as far as malware goes. Was your PC left
>> > online while you were out? Was your house door left unlocked too?
>> > Safe Mode suppresses the startup axis and (some?) device drivers, so
>> > your mileage points in that direction. Many malware won't run in Safe
>> > Mode if they were written to patch into the parts of the system that
>> > aren't run when in Safe Mode. That luck won't last forever.
>> My PC is hooked up to the cable modem and I tend to leave it on, more
>> or less, every day straight, occasionally rebooting (not the best
>> habit, I know). Also, the house is always locked and the alarm set
>> whenever I leave and there's nobody else home.
OK, that wasn't really what I meant but it's useful info anyway. Try
disconnecting the cable access, just in case it's some sort of malware
dialog (e.g. your PC says "Zombie #34597 reporting for duty, sah!" and
somewhere out there, the order comes to "reboot yerself")
I run Kerio as firewall and when I'm away from the PC (and I remember)
I set this to block all traffic. Kerio's smart enough to be "sticky",
i.e. if the PC reboots, it comes up as traffic-blocked again.
What I really meant is that if you suspect malware (as one does in so
many "WTF?" situations) then you have to be quite formal about how one
approaches this before you can consider malware to be excluded.
In this respect, most advice I see around here is weak; while things
like Safe Mode can prevent many malware from running, this is NOT the
same as excluding the presence of all possible malware. As the latter
is the answer you need, you need to keep on tshooting that issue.
>> > >I also am very observant about e-mail and am experienced
>> > >enough to know the difference between a good and bad attachment
>> > Takes some doing... I presume you mean you perform the Turing Test to
>> > assess whether it was sent by a human or a bot? That still leaves
>> > virus infection of files the human really wanted to send, but OK
>> Yeah, well, I mean, when one recieves an email with no message body
>> and just an attachment titled "sexy.virgin.exe.scr", It doesn't take a
>> genius to know what's going on. That's about all I ever get.
Yep, that's what I meant. Being "from someone you know" is
meaningless; malware has to get your email address from somewher and
that means much of the time, it will be from "someone you know" (or
rather, someone's PC on which your email address is visible).
OTOH, if you are "john at hotmail.com" your email address may be
guessed by malware that constructs putative addresses from likely stub
info. So mail that's NOT from "someone you know" isn't safe either
:-)
>> > >I don't believe in Virus Scanners,
>> > Oh, I do. If I lived on "locked doors and no fire escape" NTFS, I'd
>> > *really* believe in them, as cleaning up active malware in NTFS may
>> > simply not be possible. It's like pre- and post-AIDS casual sex.
>> Well, I was exaggerating a little with that line. I just never had any
>> problems with virused (virii?) in my entire computing life. I also
>> knew that no protection was a very unwise thing to do, but I just
>> didn't see the need for that extra program/process in the background
>> sucking up memory. So yeah, play with fire, get burned, etc.
I used to do that too, but two trends changed my mind:
- the risk surface is increasing to unmanageability
- PCs are fast enough for resident av, which is now more stable
If you are using NTFS, then a third trend kicks in:
- you can no longer assume pre-payload malware is cleanable
So the same equation applies, but the newest values for the terms in
the equation may tilt the result. The stakes are higher, the
dilligence required to manually patrol the frontier is higher, the
speed and stability impact of resident av is lower.
>> I never really knew that the NTFS filesystem had such a problem. I
>> always considered it the omnipotent god in the filesystem world, that
>> was without flaws. Interesting.
Well, it's fine as long as nothing gets past it - but it is the nature
of malware to get past protection, and Witty demonstrates this is not
only still possible (examples that prove that abound) but it's even
possible to drill right through NT/NTFS protection and preform
low-level raw disk writes, without having to get out of Windows.
NTFS's self-repair can do nothing to protect your data against raw
low-level disk writes. It's more likely to auto-repair the file
system, whether you like it or not, even if the result is catastrophic
data loss that "repair" makes irreversable (by resolving the
detectable anomolies that pointed to what was damaged)
>> > >It couldn't detect a virus that caused this problem. I also ran test
>> > >after test online, from Symantec to Panda Scan, as well as Housecall.
>> > If Windows-based av is not exclusionary, on-line scanners are a joke.
>> > If they find something, great; if they don't, can you believe the result?
>> Not sure. *inexperience*
Understandable. Vendors are quick to shout when they have an answer,
but stay really, really quiet when they don't. The need for formal av
scanning hasn't gone away just because NT on NTFS is incapable of
hosting such solutions, or because the av has no solutions to offer.
It seems I'm a bit of a lone voice on this one. Folks point out that
most, if not all, malware can be cleaned informally, but that's like
saying running blindfolded across a highway usually works too, or that
if you give a loaded gun to most ppl, they won't shoot you with it.
Hmm... remember, we are talking *malware* here, i.e. software designed
to hide itself from you and act against your interests. Maybe the
analogy should be "give a loaded gun to most petty criminals, hoping
they won't shoot you with it". Some dice are better left un-rolled.
>> > 1) Verify your hardware
>> That is what others have suggested as well.
All the more etc.
>> > So, don't fool around. Download RAM testers from www.memtest86.com
>> > and/or www.simmtester.com and run these in all-tests mode overnight
>> Well, it's a little late for that... but I'll check the memory anyway.
>> Can't hurt.
It's always worth doing, because even a once-in-a-zillion error rate
is enough to bite you every month, if not every day :-)
>> > Next, go to your HD vendor's web site and download a data-safe
>> > diagnostic from there. Run that, most likely from the boot diskette
>> > it makes, and do all tests that are not data destructive (i.e. avoid
>> > "write zeros to drive" or other destructive tests). Once again, and
>> > errors are hanging offences; evacuate and replace HD.
>> Well, this is basically an unmodified Dell system that I got a couple
>> years ago. They might have those types of tools available.
If Dell don't, then find out what HD brand you have. There are free
utils that can be run from a DOS boot diskette that will tell you HD
brand, model, serial number if this info isn't visible within CMOS
setup or Windows System, Hardware, Device Manager.
>> elaborate on what "Once again, and errors are hanging offences;
>> evacuate and replace HD" means?
Don't live with "just one bad sector". You already have four layers
of software that will try to hide defects from you:
- the HD manufacturing process that marks out surface defects
- the formatter that markes bad clusters out so they aren't used
- NTFS that "fixes" bad sectors on the fly
- the HD's own firmware that does the same thing
Of the above four, only the first is really acceptable. Defects
present and detected at manufacturing time are OK, and these days they
are automatically hidden from view. That's why the "all HDs have some
manufacturing defects" advice from long ago is dangerously obsolete.
OTOH, new defects that arise after manufacture are NEVER "normal" or
"acceptable". When these are auto-"fixed" by the HD's own firmware,
you will never see them - tho you may have silent data loss when the
copy of the failing sector doesn't preserve contents, as well as
slowdown when the HD's firmware performs multiple retries to read the
failing sector when relocating the contents on the fly.
By the time you *see* bad clusters, it means the manufacturing and
firmware attempts to paper them over have failed. Even at this stage,
seeing them can be tricky if NTFS "fixes' them on the fly, buries the
details of what it's done in the bowels of the even logging system,
and then purges this info when it becomes "old".
The result of all this? The appearance that all is well, fewer
support calls, fewer sick HDs returned within warranty periods, etc.
Everyone wins except the user who ulimately pays for all this.
>> > 2) Give yourself a chance to see what's going on!
>> > By duuuhfault, XP restarts whenever a system error occurs. Find and
>> > disable that durnfool setting so that you get a STOP screen (the NT
>> > equivalent of Win9x's BSoD) to look at instead.
Start, Settings, Control Panel, System icon, Advanced tab - it's one
of the buttons in the bottom half of the dialog box, can't remember
which. That leads to a dialog in which there are a few checkboxes
below halfway down, and the last of the group is the one you want.
(I'm not in XP now, have to tell you from memory)
>> Point noted (though I don't know where that option is)
I anticipated that - see above
>> > Also by duuhfault, XP restarts the whole PC whenever the RPC service
>> > fails. As you prolly know, the RPC service has a famous defect
Find your way to Administrative Tools (e.g. via Control Panel,
something else XP tries to hide away by duhfault), and go into
Services. Find the Remote procedure Call service (not the RPC
Discovery service). Click the "recovery" tab and you'll see three
drop-down boxes for what to do the first, second and subsequent times
the service falls on its ass. These will be set to "Restart the
Computer; change them all to "Restart the Service" <sheesh!>
>> Once again, method of changing that setting?
Above. Unless you are asking about applying the RPC patch (I snipped
before I read) in which case that's easy to look up (MS site, Google).
>> > 3) Do a formal virus scan
>> > By "formal" I mean; boot without running ANY code off the HD, and from
>> > that known-uninfected boot, run your av to scan all files. You can
>> > see why that's difficult in NTFS! If NTFS, you have uhhh... you tell me.
>> Hmmmm... That is a pickle.
Quite - and I intend to hold MS's feet to the coals on this one.
>> Well well well. I guess I really should have waited for this reply
>> before taking any action. As per another suggestion or two, I
>> attempted to do a repair installation of XP. Unfortunately, fate is
>> not without a sense of irony. Everything in the installation goes
>> right until the program says 34 minutes remaining, then, hell breaks
>> loose. The system blacks out and instantaneously reboots in the exact
>> same way as before, except for one difference: Half a second before
>> the screen blacks out, I can see the (what you call) "STOP" screen
>> extremely briefly.
See the bit about preventing XP from restarting on errors. Once
again, sunk by stupid MS defaults, and now in a context where you
can't live long enough to turn the settings off.
Repair install will trash all patches, BTW, including the RPC patch.
If you go online without at least turning on the firewall (off by
duhfault, as at XP SP1a) you'll be shot to pieces.
>>"Page fault in nonpaged area."
Non-paged area probably means memory contents that are not supposed to
be paged to disk - critical code, interrupt servive routines etc. If
the processor thinks these memory contents are not currently in RAM,
it will generate a page fault exception that the OS catches.
Normally, the OS will then load that code from HD into RAM and return
control so that it can now be used, but in this case the OS shrieks
"hey, that's not supposed to be paged out!!" and dies.
Why would the system page out that which should not be paged out, or
think contents are not in RAM when they are? Smells hardware, doesn't
it? Such as the contents of RAM being corrupted, such that what
should say "yes, here it is" says "it's paged out" instead.
>> Maybe that error was causing the original problem and the error
>> screen was just not showing up?
Exactly, because MS thinks as a dumb user, you'd rather have the PC
"heal" itself by restarting, rather than scare you with a STOP
message. Scared users phone support, and vendors are happy with
anything that reduces support calls, so...
>> Whatever the case is, I have made the problem worse by attempting to
>> repair it, now the problem at the forefront is fixing this new problem
>> and finishing the repair so I can get into Windows XP to fix the OTHER
>> problem (phew!).
It's as meaningless to "fix" software problems while running on bad
hardware as it is to carry furniture into rooms with no floorboards,
or to apply lipstick to train wreck corpses to make them look happier.
The proverb about abluting windwards applies.
>> happy that I decided to make this a tri-boot system with Windows 98
>> and Linux. I'm forced to post this using Google groups at the moment,
>> since 98 seems to be non-affected. Unfortunately I can't access any
>> NTFS partitions with it. *sadness*
Those that live by NTFS...
Is Win98xx behaving OK? Any errors in Linux?
>-------------------- ----- ---- --- -- - - - -
Running Windows-based av to kill active malware is like striking
a match to see if what you are standing in is water or petrol.
>-------------------- ----- ---- --- -- - - - -
- Next message: <\\~Virus Guard~./>: "| To all Mac/OS users |"
- Previous message: Rajesh Nahani: "RE: Gaobot virus"
- In reply to: Phil Weldon: "Re: Is this a virus? Nasty enough to be..."
- Next in thread: ttvp: "Re: Is this a virus? Nasty enough to be..."
- Reply: ttvp: "Re: Is this a virus? Nasty enough to be..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
