Re: Is this a virus? Nasty enough to be...

From: ttvp (ttvp_at_cox.net)
Date: 04/13/04 

Date: 12 Apr 2004 18:18:25 -0700

Yowza! Let's get started... (snipped for unnecessary redundancy)

> >> > Let's have some better terms there <g> ...was it:
> >> > - distorted at a pixel level (sware derangement)?
> >> > - distorted at an analog level (bad monitor)?
> >> > - black, with LED indicating suspend mode (power mgmt)?
> >> > - other?
>
> >> I believe I answered this question as best as I possibly could in a
> >> previous post in response to the same thing. If your newsreader didn't
> >> get that post, let me know; I'll paste it in.
>
> Yes please; I don't have earlier posts in my view of the thread

To phrase it verbatim:

"Well, it was not distorted, I know that. It was as if the entire
welcome screen was horizontally compressed to just a few pixels.
Either that or just all but a few pixels were chopped off the right
side of the screen (it really was too small to even tell).

If my method of description is still slightly confusing, then this is
as simple as I can get (not as an insult to your intelligence, just to
cover all bases): Imagine an image with resolution of 640*480, now
shrink the image (or cut off the right side) to get an image that is
10*480 (estimation only, of course)."

Google groups also has the entire thing if you're interested (although
I don't recommend posting that way):
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&group=microsoft.public.security.virus

> >> > >I hard-rebooted the PC
>
> >> > Kinder would have been to blind-key your way to shutdown.
>
> >> I did think of that, and I actually tried to blind-key it. However,
> >> without having done such a thing before, I really had no idea what to
> >> press. Oh well.
>
> It's a bit tricky; I've learned Ctl-Esc, Up, Enter, Enter but that may
> not work in XP as the UI is different. Also, you may have to step
> over unseen "Are you sure?" or "Save?" dialogs, so it usually becomes
> PLOKTA (Press Lots Of Keys To Abort). Good guesses are Ctl-C (to kill
> DOS apps), Alt-F4 (to kill Windows apps), Esc (to dismiss modal dialog
> boxes) etc. Press the Caps Lock and watch the keyboard LED; if it
> doesn't toggle, then system's either out or it's dead (locked up).
> Wait for HD activity LED to go out before hitting the big button.

Once again, it's a little too late for that, but I'll keep it in mind
for later occurrences.

> >> > >The only way to avoid this is to run in safe mode, which I am doing.
>
> OK; that's nice as it means it's not uber-core OS code that's broken.
> Next is to try MSConfig etc.

Using MSConfig to do... what exactly?

> >> > 1) Verify your hardware
>
> >> That is what others have suggested as well.
>
> All the more etc.
>
> >> > So, don't fool around. Download RAM testers from www.memtest86.com
> >> > and/or www.simmtester.com and run these in all-tests mode overnight
>
> >> Well, it's a little late for that... but I'll check the memory anyway.
> >> Can't hurt.
>
> It's always worth doing, because even a once-in-a-zillion error rate
> is enough to bite you every month, if not every day :-)

I ran that Memtest86 program overnight and ended it once I got home
from work today. It went through about 3 passes and couldn't find any
errors.

> >> > Next, go to your HD vendor's web site and download a data-safe
> >> > diagnostic from there. Run that, most likely from the boot diskette
> >> > it makes, and do all tests that are not data destructive (i.e. avoid
> >> > "write zeros to drive" or other destructive tests). Once again, and
> >> > errors are hanging offences; evacuate and replace HD.
>
> >> Well, this is basically an unmodified Dell system that I got a couple
> >> years ago. They might have those types of tools available.
>
> If Dell don't, then find out what HD brand you have. There are free
> utils that can be run from a DOS boot diskette that will tell you HD
> brand, model, serial number if this info isn't visible within CMOS
> setup or Windows System, Hardware, Device Manager.

I downloaded the Maxtor Diagnostic program and after running the full
complement of tests, well, "Congratulations! Your drive is certified
error free. Press any key to continue."

> >> elaborate on what "Once again, and errors are hanging offences;
> >> evacuate and replace HD" means?
>
> Don't live with "just one bad sector". You already have four layers
> of software that will try to hide defects from you:
> - the HD manufacturing process that marks out surface defects
> - the formatter that markes bad clusters out so they aren't used
> - NTFS that "fixes" bad sectors on the fly
> - the HD's own firmware that does the same thing
>
> Of the above four, only the first is really acceptable. Defects
> present and detected at manufacturing time are OK, and these days they
> are automatically hidden from view. That's why the "all HDs have some
> manufacturing defects" advice from long ago is dangerously obsolete.
>
> OTOH, new defects that arise after manufacture are NEVER "normal" or
> "acceptable". When these are auto-"fixed" by the HD's own firmware,
> you will never see them - tho you may have silent data loss when the
> copy of the failing sector doesn't preserve contents, as well as
> slowdown when the HD's firmware performs multiple retries to read the
> failing sector when relocating the contents on the fly.
>
> By the time you *see* bad clusters, it means the manufacturing and
> firmware attempts to paper them over have failed. Even at this stage,
> seeing them can be tricky if NTFS "fixes' them on the fly, buries the
> details of what it's done in the bowels of the even logging system,
> and then purges this info when it becomes "old".
>
> The result of all this? The appearance that all is well, fewer
> support calls, fewer sick HDs returned within warranty periods, etc.
> Everyone wins except the user who ultimately pays for all this.

Gah! Jargon! Help!

> >> Well well well. I guess I really should have waited for this reply
> >> before taking any action. As per another suggestion or two, I
> >> attempted to do a repair installation of XP. Unfortunately, fate is
> >> not without a sense of irony. Everything in the installation goes
> >> right until the program says 34 minutes remaining, then, hell breaks
> >> loose. The system blacks out and instantaneously reboots in the exact
> >> same way as before, except for one difference: Half a second before
> >> the screen blacks out, I can see the (what you call) "STOP" screen
> >> extremely briefly.
>
> See the bit about preventing XP from restarting on errors. Once
> again, sunk by stupid MS defaults, and now in a context where you
> can't live long enough to turn the settings off.
>
> Repair install will trash all patches, BTW, including the RPC patch.
> If you go online without at least turning on the firewall (off by
> duhfault, as at XP SP1a) you'll be shot to pieces.

Well, I can't really reach XP at all, so I'm clueless. Is there some
way that I can abort the repair so I can at least get into safe mode?
If not, then that's pretty lame. That just seems like common sense to
include that option just in case. Even though complaining is just as
useless as shaking my fist at the Earth for being round.

> >>"Page fault in nonpaged area."
>
> Non-paged area probably means memory contents that are not supposed to
> be paged to disk - critical code, interrupt servive routines etc. If
> the processor thinks these memory contents are not currently in RAM,
> it will generate a page fault exception that the OS catches.
> Normally, the OS will then load that code from HD into RAM and return
> control so that it can now be used, but in this case the OS shrieks
> "hey, that's not supposed to be paged out!!" and dies.
>
> Why would the system page out that which should not be paged out, or
> think contents are not in RAM when they are? Smells hardware, doesn't
> it? Such as the contents of RAM being corrupted, such that what
> should say "yes, here it is" says "it's paged out" instead.

*doesn't understand a thing about paging*

> >> Maybe that error was causing the original problem and the error
> >> screen was just not showing up?
>
> Exactly, because MS thinks as a dumb user, you'd rather have the PC
> "heal" itself by restarting, rather than scare you with a STOP
> message. Scared users phone support, and vendors are happy with
> anything that reduces support calls, so...

Ok! Here's the real meat and potatoes of the whole thing. Solve this,
solve everything. *hopes*

I do have access to the Windows Recovery prompt off the CD, and, as a
result, access to the partition in question. If that information helps
any.

> >> Whatever the case is, I have made the problem worse by attempting to
> >> repair it, now the problem at the forefront is fixing this new problem
> >> and finishing the repair so I can get into Windows XP to fix the OTHER
> >> problem (phew!).
>
> It's as meaningless to "fix" software problems while running on bad
> hardware as it is to carry furniture into rooms with no floorboards,
> or to apply lipstick to train wreck corpses to make them look happier.
>
> The proverb about abluting windwards applies.

You seem to have no end of colorful analogies at your disposal. :-)

> >> happy that I decided to make this a tri-boot system with Windows 98
> >> and Linux. I'm forced to post this using Google groups at the moment,
> >> since 98 seems to be non-affected. Unfortunately I can't access any
> >> NTFS partitions with it. *sadness*
>
> Those that live by NTFS...
>
> Is Win98xx behaving OK? Any errors in Linux?

Win98SE is perfectly fine, and but the Windows repair screwed up my
boot sequence, so Grub doesn't load anymore and I have to catch the
boot sequence by rapidly pressing down as fast as I can so it won't
automatically load XP (the timeout has mercilessly changed from 10
seconds to 0 seconds *frustration*)

Well, we're narrowing it down, and that's what's important, I guess.
It really sucks that I have to wait 3 to 9 HOURS for Google to display
my group post. *grrr*

With anticipation and hope,
-T.J.