After reading many complaints from members regarding their computer break-down, now it is my turn it seems.

Often the stupid machine goes off winking and blinking; warns me of impending threat! Demand reboot at every time I switch on. I have the AVG anti-virus, but that too strucks at a particular level while scanning. Donno what really happening here.

Does anyone there out to destroy only WPM sites n computers>< ? When I checked in my log at the site, I do find some suspicious activities going on. Need to build a firewall, all around!

Well, my computer problems finally reached a boiling point and the poor baby went dead -- turned out to be the HD. E-Machines sent me a new one (I got it literally the next day as my call-in) and it was an easy install. Getting everything back onto it has definitely taken a bit longer.

I'm on dialup and went through the long and laborious process of immediately upgrading Windows XP (I remembered how hard ms-blaster hit newly restored machines). Fortunately, I do so, as SASSER hit the next day.

Although, because I've been concerned about some of the other people's problems, I did go ahead and install a full firewall. It's been a tedious process getting all of my paid-for software login info and downloads back up to snuff -- I lost all "current" email (I know that I've got everything through last October on the other computer -- it's just not accessible at this time). The backups that I performed early last week weren't as complete as I would have liked and I made a couple of errors in judgment as the machine was going through spasms.

So, my issues weren't any of the scourges of the internet. Good luck on your issues.

trsiyengar, have you made a repair install?


Do this with your computer unplugged from the internet.

You must boot from CD, and when the windows setup loads, it asks if you want to install Windows XP or repair a current installation.

You should push enter to install, not 'R' for repair.

Then it asks you to push the 'F8' key to agree to the terms.
Next it asks again it you want to repair a windows intallation, and it will have 'MICROSOFT WINDOWS XP' highlighted down below.
It suggests to push the 'R' key to repair, or the 'Esc' to continue with a fresh installation.
This time pick the repair option with the 'R' key.
It will then fix the registry and settings to functional status, but you will keep all of your files and installed programs intact.
The windows kernal will be restored to a state of "newness", and must be updated at the Windows update site again.

I was using AVG when my problems arose this past month.

Maryt gave a place to go to get a tool called "sysclean", it is a device that goes through and gets the Aogbot, and all the latest viruses and worms out, and cleans up the damage.
http://www.trendmicro.com/download/dcs.asp
This page tells you how to stop your computer from shutting dowm, and how to get an online scan at 'Housecall' It is very good, and it what I get all people to do for extra precaution every week anyways. Heere it is: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SASSER.A
Here is the microsoft page to get the 'Sasser" patch from:

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
That link is from this information page that 'flashfast'posted: http://reviews.cnet.com/4520-6600_7-5133023.html

I am now going to relay from minstrel a page that deals with the Aogbot and how to remove it:
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.gaobot.html
Maybe this is the best one, it talks about "Phatbot", and it is like what I had, because I see you have noticed suspicious records on your logs as well. http://securecomputing.stanford.edu/alerts/windows-phatbot-26mar2004.html#anchorfour
Yes (i am looking information from minstrel as I write this, please excuse) this is what I had - I don't use any P2P or chat, but my roomates computer passed it to mine - http://vil.nai.com/vil/content/v_101100.htm

Please provide as much information as possible regarding your computer behavior.

It was impossible to clean my machine of my scourge, I have used Linux to be operative again. This may not be what you are experiencing, though, I had several malicious infections going at once.

If you see this, put phone and contact info to me TRS.
Email me.

No consolation but it has just been on the news that the writer of the sasser virus was arrested in Germany this morning

I like that news!

Guess what? I was 'infiltrated' this morning, and I was nstill using Linux.
8 hours later, I took my completely 'Linux formatted' drive, and without being on the internet, or even hooked to it with a cable (UTP cat5), I reformatted, including the MBR, to NTFS.
I was installing windows XP from CD.

I found a tracking log in my recycle bin, first thing, and I was locked out of many folders.

How is this possible?

Should I flash my BIOS?

Pete61uk, do you and I have to open a can of whoopass on someone?

But I am serious, something bad is going on, and I also want to hear from trsiyengar.

Hi to everyone! Finally I managed to bring life to my dying computer - with all your tech. support links. Yeh, Mike, the links given in your post gave me good Idea of bringing back life to my stupid-most machine.

Though I manged to peep into these forum posts for a day, I could not post any message nor I could reply, for if I continued stay in the net for half an hour, again the computer goes back to its sleepy moood, and shut down.

Cleansed the HD, formatted the entire 'C' file, Scan, reboot, start. To my shock, the condition was the same even after formatting it again. Then, I had to call in a techie, who too could not find any fault with the machine which goes off at the start of the net. Yes, the culprint here is trojon horse and another nasty nynetsky virus; donno how it entered and settled confortably sitting pretty in my machine. Though, the trojon horse IE5/k....virus was removed, I am yet to kill the I-worm/Netsky-Q. Presently it is deactivated and quarantined. But I find removal of this worm is a bit difficult.

The worst problem I faced during all these three days was, that everytime when I start the AVG Scanning, at a particular point the computer stops and blinks. A fatal error message displayed, then the machine starts automatically demanding Reboot.

Thank you Mike, I did Install from the CD (not boot floppy) - instead of "repair". The problem is now to the most effectively solved but for the removal of a virus. And a very good advise was given my technician, to replace this computer because the advanced or most advanced ones are now available at cheaper cost!! Sorry, I did not respond to your request of posting a PM or mail, as I could not surf the net from my computer. I never had the time to go to any cybercafe, which is almost croweded during this summer vacation time!

Thank you Pete, the guy who was caught in German alongwith other two accomplices for netsky verus spread, seems an young boy in his teens. Wondering what a saddistic pleasure these guys are getting by harming others.

Thank you, Idyguique for sharing your experience. Really it is worth to read your experience, that give another experience!!

Mike, now I am comfortable a bit, let me shake hands (oh, neither of us have the claws n paws!!)!! I am having problems here at home - yes at home only - My computer is, apart from myself, shared by my son (24 years, working for a call center) and my daughter (16 - now entering to Junior college). Both of them have their own choices for Music, fun, games and views. That is where I find the trouble. You get every sort of spyware and virusues from these cheap game stations. Most of the day, this machine is on 12 hours in an average. This too, exposing to the internet wide, causing some damage to some extent. And they don't agree! Generationext? Hmmm.

Namasthe Everyone

TRS Iyengar, it is so good to see you! There has been much mishap wi th others as well, seems many are getting breakdowns.

Our problems sound even more similar all the time. I thought that I was all clear yesterday, but problems crept back somehow,All my new drive was wiped clean, with everything freshly installed, amd all the most severe security being maintained. Yet again I was overcome!

I got the most fantastic resource from a friend elsewhere, and it is a utility to see every type of hiding data on your hard drive. It is called Bootitng, from here: Bootit Next Generation (http://www.bootitng.com/).
Alas, I have to go somewhere immediately, so I wwill come back and explain more, but it is a HIDING Partition with a name that is made with strange (not englich alphabet) symbols on a fat16 partition.
I got the download and made the floppy boot disc, and was able to see everything.

I got it at least a month ago, and must have saved accidentally when I made my last backups, which I was rebuilding with!
Some IM and filesharing young ones may have been the original source in my household as well....

Mike,
It is really worth to reach out those helplines you gave links. Now I shall try with the terabyte too. The most distrubing point is, my computer, as well that of others too, is not safe, despite our hard efforts to set it back. There are scores persons on the earth enjoying the saddistic pleasures, by sending out virusues and other damaging mails; this causes a heavy burden on upkeep, waste of time, resources etc.

Few of my friends in Mumbai too had the similar but not specific problems and they set it right with paying exhorbitant cost to the techies. Once, a very learned person interfered this problem, saying that some of the computer manufacturers are themselves in the making and encouraging of, with such dirty trick players!! mmmmm.. they need to sell their excessively manufactured H/W, by hook or crook. The time is almost reached, there is no repairs, only replacements! But how then we need to save the data; the back up data too gets simultaneously currupt with hidden sort of damaging viruseus.

The most disturbing part of this sorry state of affair is, that I trusted much the Anti-virus programmes, and when it was run, at a particular point or file, the search stops; It is a programme of threat, that is encountered; the virus is very cleverly programmed to stop the anti-virus scanning! How then one can trust buy these products, when there are numerous crash after crash is reported globally?

After closing the AVG scanner, I tried to install a Norton AV trial version for 15 days, just to check if everything is alright. When downloaded and start running, I got the shock by the way of small dialogue box, stating that some internal error causes malfunctioning of this programme! Since pre install scan of Norton AV gave no indication of any threat, I thought everything is alright. Now the alarm bell is ringing again, I must keep my eyes wide open; What next? No, not everything is alright this end, though the computer is running and online.

A must for every computer user, to keep the data in a sperate and removable disc or sorties, as the back up in the same computer is more vulnerable for simultaneous attack, if once virus enters. Let's see what the generationext brings; delight or doom!

Mike, here is a little description about my computer!

Surprisingly, I found a file ~text document* without any virus classification or definations and I deleted it without even checking further. I am too scared to retain this particular file, that was placed in my folder. In the property of the document, it is stated to be created on 7th April 2004, where in I never made any document in my word file since ten days!


Here all the programme files are placed in the "C" and all that belong to my daughter are stored in the "D" file and my son uses "E". And the file "F" is mine. The 40 GB HD is divided into four partitions, using 14.9 GBfor C and 7.44 GB for each other 3 files.

Almost thrice my HD is now formatted. I lost around 7GB of data in my earlier 40 GB HD. Mainly the mail part of outlook express, saving mails since 4 years! All the communications are lost in one swipe. The Samsung RW52-24-52 helped me to save some. This way I save my important documents & tax return forms etc in a RW disc.

i think i can actually help here,the shutting down of the virus is caused by the sasser virus.thats what it does.i had that virus last week.the solution is to go to the microsoft site and search sasser clean up tools.then you clean up.i had to turn of my restore point on my computer too.then you must search the site again and get the tool that will fix the glitch you get that also on microsoft its all on the microsoft site.it sucks because you can hardly stay online long enough to remove it.hope this helps thankyou from chris webb http://www.californiadiscjockeys.com

Hi everyone,

Thought I'd join in at this point and share a recent experience and resource for combating this problem.

I, too, was hacked about a week ago. The culprit turned out to be a Trojan Horse of extreme severity (logging credit card and password details... you know the kind of thing?)

Obviously I was extremely worried about this hack as I use my machine on a daily basis for business.

So I searched related online forums for a "fix", and stumbled on http://www.spywareinfo.com. The members there are clued up on this kind of thing, and there are always those who are ready and willing to help. (A word of warning, though, read all FAQs first before you post. Don't jump straight in with your problem, as it could result in a severe reprimand. You've been warned!).

Among the "fixes" available for dealing with Browser Hijacking programmes and Trojans, I downloaded Ad-aware Version 6.0, and I'm pleased to report the software lived up to all expectations. After scanning, it offers Quarantine of infected files it deems "suspicious", thereby allowing you to recover critical Operating System dependent files (if deleted). For the record, though, my Trojan wasn't as severe as this!

Finally, I'm not saying Ad-aware is a cure-all, I'm merely reporting personal experience. Until infection, I used only (up-to-date) Anti-virus software, but not a Firewall. Now I have both, and I'm glad I do. Now life's sweet again!

Hope this helps.

Best,
Andy

trsiyengar,

I'm glad you were able to fix your system problems! Virii can be difficult to eridacate.

If you've not had luck with AVG (as it seems from your posts)I would recommend (while you're disconnected from the internet) uninstalling AVG and installing Norton Anti Virus 2002, there are some compatibility problems with 2003, 2004 is just a pain.

Also make sure that you have a firewall installed or use the built in firewall in Windows XP.

If you only used the CD to reformat and install, you can recover most of what you've lost by using Get Data Back, I was able to recover 97% of lost data with it.

Also to protect yourself further, install Spyware Blaster, it really does prevent most spyware and browser hijackings and it's free for personal use.

I'd pull more of my hair out, but it seems I've none left...

Let's just say my computer problems are so bad, I'm entertaining the idea of switching over to Mac. My computer got hacked and infiltrated and wormed and mined and hacked some more to the point that it became nearly impossible for me to get any work done. My contact list (in Outlook) got harvested and I receive tons of junk e-mail now from the most creative combination of the names in my address book. If it weren't so bloody annoying, it might be funny. Then again...probably not.

Anyway, because Windows, over time, clutters itself up into a little, tangled ball of chaos, I try to do a complete reinstall from the ground up about once a year: reformat, repartition, reinstall the OS and all of the apps. Obsessive? Maybe. But we're dealing with Microsoft, here. (Next to the word "unpredictable" in the dictionary, is a picture of Bill Gates and the Microsoft logo. Come to think of it, Microsoft appears next to "infuriating," "incorrigible," "miserable," and "malignant," as well...).
This last time, it took me almost two weeks(!) because Windows decided, as far as I could tell, to corrupt the registry on its own; I had not even set up my dialup account, so catching something that early on from the internet was not even an option. So, I had to start all over again. Two. Weeks. Enough said.


I feel everybody's pain. I can't do anything about it, but I feel it...

Good luck to everyone.


(BTW, for computer "protection" I run ZoneAlarm, Ad-aware, Spybot S&D, and Norton AV. They're supposed to help...)

dugfresh33 wrote:

...But we're dealing with Microsoft, here. (Next to the word "unpredictable" in the dictionary, is a picture of Bill Gates and the Microsoft logo. Come to think of it, Microsoft appears next to "infuriating," "incorrigible," "miserable," and "malignant," as well...).

Bill Gates sleeping n snoring, no chance he could catch up your lines! Haha!!

Hi Computers (?!)

Thank you, thank you for your wishes n suggestion. I shall try to go back NAV, only if AVG fails again.

iCanhelp wrote:

Finally, I'm not saying Ad-aware is a cure-all, I'm merely reporting personal experience. Until infection, I used only (up-to-date) Anti-virus software, but not a Firewall. Now I have both, and I'm glad I do. Now life's sweet again!

Your personal experience can be a guiding one to others too. Thank you verymuch. I earlier once got the link to spywareinfo.com and really they clubbed a lot of info available in net about viruseus & hackings. I donno why, but I simply avoided using the site!! (warry? scarry? indecisive?)

chriswebb, that's where I exactly landed to get the all clean up act. Let me see if things are now down to earth!

Thank you every'buddy', for giving me some worthy notes. I shall see to it, I am floating, not sinking!

And finally, the members nick name causes a good mix of fun, joke, sound and simple! yeh, it is better than my un-pronounceable one!!

Take a break a check out this, (joke verse):-

http://www.webproworld.com/viewtopic.php?p=99807&highlight=verse#99807

Windows XP Using the System Restore Wizard

When you run the wizard to restore your computer to an earlier state, to restore your computer to an earlier time or state.

I relate to you all, and I've yet to thank computers for the 'Decombobulator' on her site. i am sure I will thank herr sooner or later though, and i may even mention the excellent other resources and downloads that have helped my erse more than once.(wink, nudge, how you doing? lol)

I will tell you guys something about my problem, although similar to the Aogbot, and all Sasser etc, I discovered hidden fat16 partitions on my hard drive, and there were endpoint/mounts in some of my windows temp files.
I deleted and reformatted with Linux RedHat 9.0(Which I feel much safer with, like the Mac idea,dugfresh33), AND a bootup partioning manager that reads well over 20 format and file systems, I clean installed and put Norton 2003, Zone Alarm 3.x pro, Several of the buffer overflow patches that I have on disc, then went live, from behind a NAT router, updated norton, then windows, very nervousely the whole time , I might add, then I used the sysclean removal and damage cleanup tool at TrendMicro.
50 or more files had access denied errors for thew scan, it registered as a clean system.

I had it all back on my system.

I had a tracking log in my recycle bin again.
I am an veteran and knowledgeable (enough, anyways LOL)at networking SOHO, and servers, and security, and I have never even heard of anything this bad.

I hear you loud and clear, dugfresh33, I have been battling for over two weeks now, I am almost 100% convinced this is somehow into my bios, it sure as hell intercepts the pass to the OS, and it seemingly comes out of NO WHERE!

I was running a registry logger last night, after about an hour on the internet, it started going crazy.
I saw buffer overflows suddenly happenning, and 100's of registry edits occurring within seconds.
I would pounce on the overflow immediately, and kill the handle, thread, and delete the reg key within seconds, and it kept coming.

One of the scariest characteristics that I have discovered, is that it is now able to change permissions on its own, even when I unhook from the internet, boot into safe mode, and try to get the MSN anfd Messenger folders out of Program Files.
It also protects the Xerox directory, and it is all virtual, and it shows as 0 kb in size.
I had system restore OFF, for several reboots, I shut the computer off as soon as I delete a reg key, and when I get back up, in safe mode again, and not hooked, the permissions for the reg keys are changed and I cannot figure out how to get them back.
I shut down SAM, I try to change permissions with it, I try to take ownership and assign Deny priveledges to the files and reg keys, and then the next boot-up, the properties boxes will no longer have the 'Security' tab on them so I can access the priveledges there, or in the registry.

Tell me this is the Sasser worm, Aogbot, all of them combined, it is not possible for a 1899MB system (size of hidden fat16 partion, on reappearance)to do all that on it's own, is it?

The hidden partitions are named with wierd symbols, as binary, and the tracking logs are replaced in front of my eyes when I delete/rename/edit contents/etc., RIGHT IN FRONT OF MY EYES.

I changes my IP., I have done everything that I can think of, and the only way I have gotten anywhere, is by installing fresh, after a 35 pass wipe of the HDD, and as soon as windows finishes the install (I also choose custom, and delete all networkong during the install), when it reboots for the 'Intro/Let's get started screen', before that - I press 'F8' and go safe mode.

I deleted the Messenger, MSN, MSN Gaming, and Xerox folders, after shutting down as many services as I can first.

Then I went through the tregistry hives for 'Users', 'Local Machine', and 'Current User', deleted every reg key from all the run, runonce, and etc, I went manually through all the networking keys in each (they weren't all involved at every step of reg editing, but various spots), and deleted every type of dialup and dialer and filetype I didn't recognize.
I deleted and changed settings for all kinds of permissions, and deleted all the keys and subkeys for the services I don't use, like 'Universal Plug'n'play' and 'wireless zero Config'. In total, i deleted right out from the registry and prefetch and ini cache and SAM folders etc, at least 15 or more services.
This was on my second boot, both in safe mode, and both before getting to a regular desktop.
I also never created a user account, because there was no opportunity to with the safe mode startup.
I used a 14 charcter password for admin, which I have to log in locally, and I set all the security params to delete pasge file at shutdown every time and run no systen restore as we speak.

I have finally had about four hours on the net here, without major incident, but I did find the folders, but not all the contents, recreated once in the program files, but that might have had to do with widows update.

I don't know?
Personal vendetta?

I doubt it, and it is not unique enough situation, in fact strikingly similar to several here.

Any guesses? Do any of you recognize anything?
Let's get this pest, people!

Mike,
It's really an horrible experience you went through, the same sort of job repeatedly done, to find again and again the worms coming out from no where! Despite your vast experience and expertise, if you had to face such a critical situation, think of us, having no experience at all, to handle such sort of situations!!

I de-activated AVG, downloaded NortonAV trial version, then searched n scanned for third time. The pre installation scanner gave no indication of any virus or threat to install. When the actual scanning took place, shockingly I found THREE more trojon viruseus, all in the hidden and system files. Deleted. Wiped out everything at once. Most of the viruseus were just in its place, GAMES files. Need I say anymore how it reaches my computer. Okay.

Then again I run the NAV, for the third time. Ooops..! Now again two sets of viruseus: Again the same netsky-I-worm and another being a Dialers/STMDLR.EXE which give no virus details or definitions found. Anyway, removed safely but I do have other sort of problem.

The NAV scan states the following files are at Risk of damaging my computer. But these are of MS files:
CD.CLINT.DLL
MSBB.EXE
MWSVM.EXE
NCMYB.DLL (Netscape)
NULL
My OS being Win98SE, I cannot remove these files at first place. Now, the computer is working but the threat persists. Not again I was asked to reboot; but while using the NAV or AVG scanners, the computer gets off at a specific point, blinks and again restarts. But this time around no dialogue to reboot!

I am really tired of formatting and restarting this stupid and really now stupid machine at many a times. Wondering, how, Mike, you could have handled your still worse situation. Pray, that the threat comes to an end sooner than soonest, not only for you and me, but for the entire world of computer users.

TrafficProducer, really one needs such break at times. And to say and thank in Catalyst's own words in the same thread:
Quote
Well, that certainly clears things up for me. How about you? Thank you, Bill Gates, for bringing all this into our lives while enriching yourself beyond all reasonableness.
Unquote
Now Pray, Pray and Pray. Go to sleep!

Author = trsiyengar
Mike,
It's really an horrible experience you went through, the same sort of job repeatedly done, to find again and again the worms coming out from no where! Despite your vast experience and expertise, if you had to face such a critical situation, think of us, having no experience at all, to handle such sort of situations!!

This is exactly my concern!

What happens if thousands and thousands have no control over their own computers, they are not knowledgeable enough to even get updates?

Your problem sounds very, very similar yo my own. I have had success now for many hours, another method of detection, indirectly, is by the amount of system memory being used.
I first noticed long ago that I would boot up with using 90MB of ram, but after only 2 hours, I was using well over 230MB, and that was just 'idleing'.

I am going to put windows 98 on my other computer, and see how we can deal with this.

We shall overcome.

But remember, it was not bill Gates who chose to write the viruses, and it is a maliscious and greedy action that brings this situation to being.
It is easy to blame Microsoft, because we can SEE them, they are real to us.

An anonymous adversary is a frustrating concept to deal with, but the true villain.
Where would computers and the internet be today, if not for Bill Gates dedication and drive, misguided or not. He may also create opportunity for grief, but that may be just brought about sooner as an eventuality anyways, and the sooner faced, the sooner overcome.

I have some IP's that I have to send, I caught some transfer going out, but I don't know how vasluable it is.

Faith is the greatest prayer.

I agree with you Mike. My concern is about scores of persons using computers, many of them are not even aware of what sort of viruseus affecting their computer. Fortunately, I for one, learnt through this forum about a lot, words can't express my gratitude to all members taking part in many threads; that educate even a layman, to experience on his own.

And for the world's richest man, he is made of a fun, a lots of jokes apart, for every failure of a computer (even if it is not from Microsoft!) he is quoted and made to laugh at all the sort of mentions.

Now, I could finally identify the particles that are resting in my computer. sassers, trojan horse and netsky-Q I-worm, sighhee, all at one time. I removed all except, I need to go to Microsoft update on sasser tool kits and other updates & downloads. The problem I face now is when I log into the net, it acts faster than I could imagine, when download begins again it blinks.

It seems the programmes were cleverly made to resist the removal! Wonder whether this could be an easy job and I can finish it in a day or two! The reboot command is gradually taking shape, even after many trials of Anti-virus scannings several times. Now it shows "no virus theat", but how then the reboot order surface again?

Without any technician's help,(and ofcourse, with this forum members kind help and posts), so far, I could get some repairs done. Thus far the suggestions were of very crucial to get my computer started and am posting this from my "hacked" computer only. If it does'nt get any improvement, I may have to seal this once for all and to try with another buy!

Whaddoya think about some of the computer sellers & manufacturers encouraging these sort of peogrammers of virus creations? Howmany man-hours lost worldwide; Howmuch of money spent on repairs; what sort of tension and turmoil one has faced; OMG, spare others from this sort of painfull experience.

A quick note for all using Windows XP.

Sytem restore can get you out of a lot of trouble however if you have a virus you must turn system restore off when you delete the virus.

If you do not turn it off and if the virus is also in system restore records it can reactivate. Viruses do not get deleted from system restore.

When the virus deletion is finished turn system restore back on. You will then notice all previous restore points are gone and a new one will start.

Thanks, newboyle, any and all help is appreciated.

But I will tell about this one I just found out I STILL hav3e around somewhere.

I not only turn off system restore, I have now turned off the pagefile.sys, and I delete every single temp and recycle bin file before shutdown. I then boot to a partition/HD utility, and check to see if the 'didease' has somehow managed to survive - as the hidden partition or as evidenced by a change in the other partition.

I have deleted so many reg keys, and ini files, that many things are bigginng to not work "quite properly" or at all.

If it comes back again, i will lock myself in a closet! LOL

mikmik, refering to your earlier question:

"Pete61uk, do you and I have to open a can of whoopass on someone?"

Just how big a can were you thinking. Will one be enough?

Iyengar, as regards the German boy. If he's "really" bright he'll probably get a 'token' prison sentence, do half of it, then start a $50K-a-year job with the government?

pete61uk poses a most interesting question
Just how big a can were you thinking. Will one be enough?

Well now, we each bring two (in case he tries to get up, several times - probably to stooopid to stay down [kidding,]), then we beats 'im like rented mule, finally paint the ground bright red - but that's not all, oh no - then make him buy everyone who got hit with any virus/trojan/worm/BrowserHijack/macro/script/common cold and/or owns a computer...we'll put him in charge of everyones security!
If it is breached, anywhere, we start over on him.

Good thing we are so laid back haha...........

pete61uk wrote:

Iyengar, as regards the German boy. If he's "really" bright he'll probably get a 'token' prison sentence, do half of it, then start a $50K-a-year job with the government?

Haha, evantually that might take place!

Mike, despite all the do's and done's, I am pushed back to the wall. Countless time I tried to isolate, particle, deactivate and even deleted the worms and virusues; Now again and again am asked to reboot! How come these programme of trojan horses reappear is a really a mystery! Formatting for the last time; Have already saved all vital docs n files in a seperate removable discs with the help of CD write. Fortunately, I coud lay hand on this one and get it listen to my command.

The shocking point here in is, when the dialogue box describes about a virues and asks whether I need to copy this, I say a firm NO. But to my utter surprise, this too was copied automatically. However, on second scan of the removable disc, I got this file deleted and removed totally from the machine with the help of NAV. Now a final run, cut off from the server, I-net Cable, a thorough re-run and re-boot, I hope to see it working. But with reservations!

The national election tempo keeps me now for time being hooked to the TV, the real Trojon horses
and viruseus in the form of Parliamentarians, now going to enter the parliament, to infect my nation, India - That is Bharat! Let me take a break here!

I was going to ask you about the elections. Three weeks, more, worth and mayhem there, as well.
It is beyond my comprehension having coalitions of twenty parties, and every one suspect in certaindegrees.
You best move over here, i need roomates, we would get along!

Now, I am going to telephone you if I have to, and we could try to go through it together, I won't have getting to much time away from here if I can help it.

We will see, maybe a couple of days, I am now seemingly away from the infections, and I discovered a trick. Unfortunately windows 98 has to keep rebooting when it is incessantly "Found new hardware" and all that.
What I have discovered is to immediately go into safe mode when it starts for the first time, and deledte, not the recycle bin send to, but holding the 'Shift' key when you delete, and this just gets rid of hit.
I found that by deleting all the MSN Messengere, and gaming zone and Windows Messenger plus yet the Xerox folders, completely out of the Program Files folder, and always doing that from safe mode, it has stopped the virus from running yet left windows functionality intact!
Then it is to bad for the young ones, so it might not be adviseable.

It is easier to work on a phone, though, than here.

We can see, I always keep hopes up, don't let the bad guys have your spirit on top of your computer ;O)

TRS, do you know how to use 'regedit.exe?

Click the start button, then 'run', and in the box type regedit.exe, just the letters and the one period only - no other punctuation.
Then when the program opens, in the top tool car that says : FILE EDIT VIEW ... click EDIT and then select "FIND NEXT".

You can then cut and paste this
ProxyDevice = "C:\Root.exe"
into the box and click tho FIND NEXT button.

Make sure all the boxes labelled "Keys", "Values", and "Data" are checked, and make sure that "Match complete substring only" is unchecked.

There are some other suggestions here http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_GRUEL.E&VSect=T which that is one, and I am not sure exactly, but I think we are on to something here.
I have found a couple of webpages that contain 'eerily familiar" references and descriptions.
I am now so far over 24 hours without incident, except for one disturbing point of note: At the windows update site, everytime I scan for updates, this same one comes up, even though it says that it was installed successfully, and this happens no matter how many times I do it.

The patch is for the LSASS Buffer Overflow, it is the same weakness the sasser is exploiting.
This one thing still has me greatly concerned.

I found all of the above following links to TrendMicro from this page at [ur=http://www.esecurityplanet.com/alerts/article.php/2237991]esecurityplanet.com[/url]

I have some more to check out.
Thesemay not be completely right, but it would be good practice if you can follow my instructions above, for this is the level of technical knowledge that I have had to become completely comfortable with in the last two weeks, and I have killed my windows countless times unintentionally by deleteing keys in the registry like this.
But i was just trying to do these things without instruction or guidance, and I made a lot of 'lets see what happens when I do this' type of judgement calls.
I hope my instructions are right for windows 98, I think they are, but I just haven't the time to get to that yet.

We are brothers, victorious by commitment, already. We are learning to face challenge and the unknown together, and we are turning this into a postive experience in spite of the malice.

This is a great thing to be able to do.

Do you see this, TRS?
We will gain serenity and victory no matter what, even if we do not know why we will need it until later challenges are faced in the future.

Oh boy, I am getting chatty!
We will not be denied some sort of 'good' anywhere.

Mike,
I did see this post; with the same computer & that hacks itself again and again. Now I shall Run the Registry to fix as directed by you. One thing I get a sort of kick is my own kids landing in the Games site. With my level best I explain them about the problems, but both of the compu kids of generationext, they laught at me for every thing I tell about management!

Without their help, I did construct a web site, running it for four full years, having a very low viewership (58000+ in all) and still not asking for their help for any of my computer related job. But this Forum has given me a lots of strength, to pick from the scratch.

Let me try once again with your advise that might give me a good start, this time around once for all. Unfortunately, for win98se there is no sasser tool kit available (Microsoft says win98se not affected by this sasser problems!) and hence we have to deal with it manually.

As far the elections, the best managed ruling coalition of twenty two parties is waning, losing majority and at the brink of collapse with less than 200 seas. The trouble is NO majority either for the oppision, the stray ones are having field day. These smaller parties, regional outfits and single member floating party for self interest are all the one who spoil the spirit of Democracy. Caste, Creed, money and muscle plays a vital role too! Hung parliament to hang the Indian future! Fractured verdit is not an healthy one, I feel. Now, the horse trading to begin.
God Save India, God, Save my computer too!!!
With warm Regards

Taken a printout of your instructions. It should help and visiting the link too. Thanks a trillion for your concern, Mike.

TRS Iyengar, thank you. I admire your persistence.
I have just found a site that may have other information. It is Microsoft TechNet Security, and it has many ideas and help.
http://www.microsoft.com/technet/Security/default.mspx

I am also trying to collect a bunch of the update patches so they may be copied to a floppy sk, or disks, and therefore installed without hooking up to the internet. lso, this is a very easy to implement tool, and I use it to see if the 'Scum infection bug' (any nasty word is not enough lol) every time you turn on your computer.
It is very easy to use, and you only need to have winzip to open it, a blank floppy disk, and you make it with only a couple of clicks.
http://www.bootitng.com/bootitng.htmlThere is a link to initiate the download at this page.


I must sleep soon, and i have, of course, much catching up to do, but I will never stray far from here.
We are mad, and we will win shortly!!

I should provide more information so it is easily accessable to you here.

With the "Bootit NG" floppy disk you make, it is then possible to exert some control over the pest. (it will be okay on your computer, i did it with still all my problems present)


When you turn on or reboot computer, put the floppy in first, and it will start instead of Window98. (If it doesn't, it is yet another matter to attend, but an easy one also)
It will make a desktop view on your moniter much like a very simple type of windows .
At the very first screen, it will ask if you wish to install it, and just push "Cancel"
It will then put 6 icons for you to click (See? It works with the mouse and everything haha)

One is called "Manage Partitions" Click.
It then shows a table with line by line list of all software 'spaces' being inhabitted.
This is where I saw the one that was the culprit, for the first time, and you will too, if we suffer similar or the same problem.
It is then a matter of highlighting the one that has a name that is not made with our alphabet here, and must be similar for you.

It was called " xyz", where xyz were any number of strange symbols unrecognizable but as 'special characters' in the html ascii charts. Then select "Delete", a new window presents itself with options, or boxes to select, take them all, there are three, and it will perform a "Wipe" of the code.
This may take a very long time as it does this 35 times.
Talk about 'making sure'
I grew impatient sometimes, and stopped it, no harm was done, and it was in any case, gone, maybe not as far as could be, but gone.

This then is a most satisfying feeling, believe me!

I do this every time I start windows, and it gives a chance to wound or badly damage it's recuperative abilities, which so amaze both of us, yes? (it has the ability to still manifest several more times, but grows weaker each time.)
I will be back soon.
I am also grateful for an opportunity for our comraderie here, my friend :o)

Here is some FAQs from the site. Do not wortry about installing anything, it is not necessary for our purposes.

General Questions

Q What is BootIt NG?
A A partition and multi boot manager with a powerful and simple to use set of tools for partitioning, imaging and booting your computer. It combines the features of several standalone products costing hundreds of dollars more.

Q Can I install BootIt NG and keep my existing partitions.
A Yes, as it has always been, all partitions are retained during installation.

Q Why is it only $34.95?
A It's under priced, take advantage while you can.

Q Are there quantity price breaks?
A Yes, see help in BootIt NG.

Q What is shareware?
A Shareware is a marketing method, not a type of software or even strictly just a distribution method. When software is marketed through normal retail channels, you are forced to pay for the product before you've even seen it. The shareware marketing method lets you try a program before you buy it. Since you've tried the program, you know whether it will meet your needs before you pay for it. A shareware program is just like a program you find in major stores, catalogs and other places where software is purchased except you get to use it, on your own computer, before paying for it.

Q What is an EMBR?
A It stands for Extended Master Boot Record. This is where your partition names are stored along with several other pieces of information required for BootIt NG to work properly as a boot manager. You may find documentation from other sources which misuses the acronym EMBR in place of EBR (Extended Boot Record) which is an area inside of an extended partition..

Q What is BootNow?
A It's a separate free product available here which allows you to select the boot item from within Windows 9x/ME/NT/2K. By double clicking a BootNow item the system will shutdown and restart with the selection you chose.

Q Does BootIt NG work with my OS?
A BootIt NG should work with any Intel platform OS which uses the MBR or EMBR.

Q What is the difference between copy and image?
A Copy creates a copy of a partition whereas image creates a compressed image of the contents of the partition which can be saved as a special partition type, to a file, or to directly CD.

Q What terminology is used in BootIt NG that I might need to know?
A "Extended partition" is a special type of primary partition. "Volumes" are the logical partitions inside of an extended partition (What Microsoft refers to as logical drives). "Partitions" usually relates to "primary partitions" but in some cases can mean both a primary partition and volume.


Q Is BootIt NG compatible with other disk partitioning utilities?
A Yes and No -- It's your choice. During installation you'll be asked if you want to enable support for more than 4 primary partitions. If you answer "no" then, if you like, you can continue to use other disk partitioning utilities; otherwise you'll only want to use the partition tools in BootIt NG. The option can be changed at any time via the "Limit Primaries" settings - If it's checked then you can use other partitioning utilities. If you actually plan on using other partitioning utilities then you'll probably want to enable the "Alternate CHS" option in BootIt NG as well.


Q Can I create a bootable CD instead of a diskette?
A Yes, Simply use the diskimg3.dat file (included in the zip file) along with your favorite CD burning software to create the bootable CD.
If your favorite burning software doesn't support creating a bootable CD from an diskette image then you can download and use mkbiso to create a bootable iso file which can be used by the program. (For example: You would use "burn image" in EZ CD Creator 4).

Note that because the installation routine will not be able to write to the CD media, you will receive a couple of warning messages during the installation process - these warning messages are simply notification messages.



Q Does BootIt NG require DOS?
A No, it's totally OS independent. It does include a DOS based program (bootitng.exe) to help you create the installation diskette. This single "DOS" program allows you to created the installation diskette under all Microsoft operating systems including MSDOS, Win95, Win98, Win98SE, WinME, Win2K, or WinXP.



Q Why do I have to install from a diskette or CD instead of directly from Windows?
A While it would be a trivial task to provide a full Windows based installation program for BootIt NG, it is not provided for one main reason:

Although most systems will work fine, you don't know ahead of time how compatible or bug free your system firmware or hardware may be. Many people are unaware that their system could be buggy or non-pc-compliant even if it can boot and run Windows.

This is because Windows only uses the BIOS sparingly while BootIt NG uses it extensively. Some firmware/motherboard manufacturers don't fully test all aspects of BIOS before it's released, this means some systems may require a BIOS upgrade to work correctly with BootIt NG. In addition other systems may require BootIt NG to use a different video mode setting than the default mode.

Mike, it is fine I got everything from one single source named Mr. Laing!! Good, I have such a nice friend at another corner of this globe, I should be able to tackle the little worms and viruseus with a little s'driver!

BTW, noted the contents in post 30 above, you may delete this one for reasons best known to you, and ofcourse, this helping tendency of an individual should not put himself into trouble. I hope you got the meaning. When you land next time, you will see me again with full vigour, the tonics I am having from your post.

Bravo Mike, for splitting the contractual obligations of TM product, ooops, it should not be there at the first place, in a public forum. So I rq you delete it.

Select, Print only selection, REST is done. Now take some rest, I am too tired to make any fresh move. Whole days sitting with this Stooping stupid machine. Now it shold listen to my command, once I follow your advise.

Helping is my dāna. It's a start!

right understanding, right thought, right speech, right action, right livelihood, right effort, right mindfulness, and right concentration...

I am unsure what you refer to in the words above, but I think you are seeing things (wink)

This Mr Laing, he has made himself a friend, and he considers himself yet blessed again.
He is my friend also, and he told me Hahahaaaaaaaa

Good night,


Right F****** On!

You guessed it.
I still have it, even though it can't transmit, it is stopping some patches from installing at the update site.

Here, TRS, we can get everything first before we go online to update our AV. All windows patches and updates, for offline installs, all 9X to Windows 2003. (I forgot to notice if 64 bit was there.)

I just copied this from my other forum, the 'anger management for the temporarily grouchy' site.


http://www.softwarepatch.com/windows/

I actually have just discovered that my little bug is still active on my system.
I wanted to be able to install as much security and fixes before having to actually connect to the internet.

Everyone can now get all windows updates for installing offline, which is much faster than doing it while on a 14.4 with no protection.

It is probably great for techs to stock up for those dreaded 'House Calls from heck.

You know, they have not just Hotbar and comet curser and Max the parrot, they have every version of each one ever released, all running simultaneousely.
They have the same password for every MSN and ICQ etc, it is their last name etc.
They are running Windows 95, on a pentium 75MHz, with 16 MB or the 32 pin RAM, and they insist that it was just fine yesterday, they would run 5 or 6 programs at once.
You know this is true, because when you surgically extract their computer from behind a 40000ton solid lead china cabinet that is somehow shakier than a than 214 year old man with a two quart a day Oldspice number 3 habit, and has just gotten his head caught in a paint mixer/shaker and is out of Vanilla extract AND gasoline. It also has a 1400 year old paperthin Ming Dynasty vase perched somehow in a gravity defying 2/3s of the way out over a corner.
Then you open it and once the ensuing dust storm has created the Sahara desert in his living room and you shovel out the rest, there is not even a processor installed.
But it worked perfectly yesterday, and his 112 year old great-great-great grandaughter, who is still a virgin, and is very likely to conclude that every man in the world is laughing behind her back, she is holding a 14 barrel 57 MMgattling gun pinpointed with laser tuned accuracy between your legs the whole time, until that computer is working like it did yesterday.
You must be prepared to make no mistakes, take no chances - like catching a virus while updating Netscape1.1d online.

That would be cruel, even to me.

Be prepared.

Be very prepred.

mikmik's quote:

and his 112 year old great-great-great grandaughter, who is still a virgin, and is very likely to conclude that every man in the world is laughing behind her back, she is holding a 14 barrel 57 MMgattling gun pinpointed with laser tuned accuracy between your legs the whole time, until that computer is working like it did yesterday.

What worse a man can face than the above? Okay, all the tricks and tantrusm played as advised. Sometimes, it takes off, many a time it bunks and blinks, bouncing like a wilde cat on prawl.

After registry was edited, it seems bouncing back with many other problems; now this time around the dialogue responds: "unable to copy to the disk. some of the documents may be lost. press any key to continue or press ctrl+alt+del to restart"

Whichever the choice you take, it goes back to its naughts and ugly face showing again to reboot. But sure it is somewhere the fault lies. Surprisingly, after repeated attempt, I do get the machine started; on such one occurance, I land here to check for further news.

Yesterday I landed at Microsoft link for n security updates and patches. That's fine, I did as needed.

No, I am not giving up yet, trying hard to see to the finish. My motto:

THINK FOR THE BEST, ACT FOR THE BEST BUT ALWAYS BE PREPARED FOR THE WORST TOO!

Now again for the second time I am checking for all updates and downloading same to patch and to catch with time.

I am still note sure of my getting it set right, but keep every option open to set it right, at the earliest.
Regards,

This my plan, I am doingg it next:
I downloaded all the patches etc for my WindowsXP, and I will make a CD with tthem.

I will then completely wipe my hard drive. with that bootit NG thing.

Then I will re-re-re-....-re-install windows, but this time, I will be able to put all the protections in place from the CD without going online to do it. This is crucial, for it is when we are vulnerable, and it takes at least an hour or more of internet connectivity to get all the protections in place at the 'windows update' page. By the time all this is finished, I am assuming the bug has already sneaked in, and will continue to grow, no matter what.
I am also going to flash my BIOS, but this is not for the inexperienced to be learning right now.

It is, however, still a possible plan for you, and if it works for me, then it is easy enough to do, actually very easy again, just a little dangerous if a small malfunction occurs anywhere - then Ir may kill the computer almost completely.
Maybe this is a good idea by then, I do not know.

We are soon to be elevated to near complete enlightenment and being, Haha :o)


http://www.softwarepatch.com/windows/

===============================


Quoted from trsiyengar
mikmik's quote:

and his 112 year old great-great-great grandaughter, who is still a virgin, and is very likely to conclude that every man in the world is laughing behind her back, she is holding a 14 barrel 57 MMgattling gun pinpointed with laser tuned accuracy between your legs the whole time, until that computer is working like it did yesterday.







ah aha ah ah ahh ahhaha.....

It is a situation that is understandable for female tech's as well, without the . ah,...... I realized it was a sexist thing to say, because of course, there are female computer techs, like 'computers', all over the world, but could not bring myself to edit the original, for that would indeed be a mans worst nightmare, if he were sexist, which trs and I are not........

mikmik and Iyengar. Hope you are both progressing in the repair department as you appear to be in that of speed-writing?

As you know, I'm not one to shy-away from asking potentially stupid questions. However, this one might be useful for anyone else who's currently observing your clean-up's progress? So, here goes:

This concerns "any" virus protection software with a "recovery-disc" utility. As I understand it, the whole premise of these recovery discs is that they are supposed to enable an isolated boot-up returning your system to a "known-safe" configuration and "isolate" suspect configuration and registry entries/folders/files etc., in events such as those you are currently cursed with.

Do they actually work when faced with the level of sophistication employed by today's scumware producers. Just what is the level of protection they provide?????

No, pete, there are no stupid questions, just people who don't listen to Bohemian Rhapsody when they have a chance. ;op

The problem with making a rescue disk is that you have to make an image of your system when it is clean, but because you have to online to get updates for both your OS AND antivirus program, you are open to attack (buffer overflow exploits).

So TRS Iyengar and I cannot get a clean system functional before it gets compromised. Basically, there are so many computers broadcasting the 'search and infect' messages - 100% of the time - from infected computers, that as soon as you connect to the net, you get hit.
There is zero time to get updates.


Let's start here:

These are flaws in all OS's that may be exploited, but Windows RULES, so everyone studies it - 95% of users have it on their computers, 94% are not quite with it. So they make the patches and put them on the Update Site.


I got all the Critical Windows updates burned to CD. All the 'virus/worm protections, buffer overflows, and vulnerabilities patches, plus SP1. I saved them.


(BUFFER OVERFLOW - BUFFER is memory cached temporarily for packet regeneration or something.

They basically confuse your computer into passing info around a bottleneck point, instead of a fifo - first in first out - type of data handling, so instead of locking everything, it slides by and executes commands, bypassing the 'clogged pipe' that is locked, effectively freeing up the processor, I guess?)

I wiped my hard drive completely, obliterating all trace of formatting and boot partitions, Then I flashed my BIOS, formaqtted the drive, installed windows, then the patches. The patches took, finally, I am protected from online attacks.


Now, on top of this conundrum, I, and strongly suspect TRS also, have been hacked, in a similar manner, but instead of multplying and spreading, or launching DDoSs, my computer is also being used as a server, and router for streaming media, and also gambling and other online games.
Once on my computer, the infection was able to assume control of the inner workings of my internet connect, and locate a source website .
From here it downloaded some kick ass encryption software, video file, modems, graphics drivers, 'themes' (your windows look) and all the odbc and sql scripting to manage accounts.

Do you want to know why I am freaking out?
They are not only using my computer, and bandwidth to literally feed video straight to encryted connections and then other peoples monitors, but all the evidence is in my computer, and is not in their possesion, Because they have complete control of my resources, and something called "Chicago" and even more wicked cracking and password breaking software on as high a priority instruction stream as they want, there is almost no way to trace this.

Everything is so deeply encrypted and innaccessable
(to all but the most sophisticated and F****** difficult to learn utilities :O)).

THAT IS ONLY HALF OF IT!!!

The kernal of this 'package', or 'suite', is using either fat12, or fat16 partions that are virtual, named/mapped with Klingon Heiroglyphics, hidden to almost all disk reading software, and ALSO mutating.

This stuff is able to react to my efforts. If I locate a hidden partition (One 'block' I have found, is 1899 MB in size!!!!!) and delete it, there are other methods to restore the mapping or whatever. When I shutdown to reboot, it is able to spread around enough and assume other File Systems (NT), and it re-assembles as you reboot, to a new location, with a different type of name!!

Now it gets good, and I have had to do some serious double checking here to be sure I could believe my own eyes.

Let's say I will located a thread, or handle, or process tree(These are hard to kill, and often just crash your computer) with a 'super' Taskmoniter program, to free up a security check violation long enough so I can try to change permision using
properties boxes and windows- just to F***** only be able to delete a dll or bat or ini file that is crucial for this thing.

But I almost never get enough damage done and it is able to restore everything on the next reboot - my 'attacks (LISTEN TO THIS, IT IS FANTASTICALLY BIZARRE!!) on this hijacker have now produced the properties boxes and windows (When you right click and select.....properties!) that don't have any choices to change anything that were just there two m8nutes ago.(The security tab)

It is so bloody wild what I have been doing for the last three weeks.

What made me sick the most, was the realization that I was not even really seeing my desktop - it was virtual also. You know when youopen a big folder, or totally switch windows or views, and there is a sort of 'stutter' and the desktop refreshes?
That is what was starting to bother me two months age, it was happening all the time, even if I set the memory cache for the display to twenty times normal.
I put 160!!Mb aside for icons!!!!! and it was still redrawing every 5 or 10 seconds sometimes, and it would get things wrong!!! Once in a while i would think..."Hey, wasn't this just over here last time I looked?

Or,"Didn't I just put that doc in the other folder, now it is back in the first one?"

I have to stop now, I just keep remembering more and more wierd shite. I've learned 10 times as much about windows, and desktop security in a month, as I did in the whole other two years of computer use.

I am seriousely thinking of trying to weasel a scholarship or reward out of someone somewhere.
I was hoping I would be able to trace this, and get 250 big'uns from MS.
I wish I didn't have to just wipe this stuff. I have hundreds of log files and tracings, but man, it isn't possible to save the actual software around anywhere and still feel very safe, let me tell you dat one!
I never know if I am looking at a slow running command, or the program is trying to piece together a desktop to feed me so I won't get to suspicious.

Wierd is an understatement.

Hi Pete,

After a long lull, it seems you too returned to this post for a mission fact finders.

quote:
....Do they actually work when faced with the level of sophistication employed by today's scumware producers. Just what is the level of protection they provide?????
unquote

Pete, in reality, the sorry state of affair is, the law breakers are always one step ahead of law makers. Be it in internet or any other profession. Evantually, they might get caught one day, but by the then, the damage is already done boyond repair.

mike's concern:

....that would indeed be a mans worst nightmare, if he were sexist, which trs and I are not........

Agreed, it is somewhat a reference one needs to put at an extreme point of vex (?) Or a days frustration at work? Or the mounting pressure put up by these hacksterds and scamsters? Hahaha, see my religious web site doing in all the search engine's results for, Newly wed sex, sex is part of life, newly wed couples sex and so on and so forth! Am I? At the age of 54? No, not gne crzy yt> hshshhhh

Mike, A GLAD NEWS! I arrested the situation, just with the help of http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_GRUEL.E&VSect=T pages link given by you. Actually, it was this problem really I had it in my computer. I never dreamt that my computer can really be controlled by a thug from remotely, this way.
(no defination, no data available etc labled in the dialogue box for this programme). But it is purely a anti microsoft programming that took all my time to set it right. Uptil now, after the fix, no recurrence command for reboot. Hope the agony ended now.

Now howmany patches of security one needs to download. How much of money one needs to spend on building firewall, safety measure software, virus detection. etc and etl. If one has to pay enormous amount for these services, really the middle class computer owners will sink.

After switching to XP for some time, I am now back to win98se because of its operational convenience. Moreover, most of the latest gadgets does not go well with XP as it is with win98. This is my practical experience, contrary to the claim made by others.

Enough is enough. I survived the attack, now I need to keep the surveillance gaurd of safety. Keep your eyes wide open; be alert. What is happening behind the screen is likely to kill your computer, and your skill too, if one is not vigilant.

What we have here, is a tool that logs some user access rights.

The first line, "901",is about the 6 or 700th line in a series that occurred in less than a second, it is the buffer overflow in effect on the Security Accounts Management module,the LSASS service and is the famous escalation of priveledges, it looks like to me., and it is alternating of 'undock' and 'load driver' commands .then 907 is where it is well imprsonating someone.


1576 ADJUST PRIVILEGES 0000A428: \\CRAY\MikeL ENABLED: UNDOCK
901 11:00:34 AM explorer.exe:1144 1576 ADJUST PRIVILEGES 0000A428: \\CRAY\MikeL ENABLED: LOAD_DRIVER
902 11:00:34 AM explorer.exe:1144 1576 ADJUST PRIVILEGES 0000A428: \\CRAY\MikeL ENABLED: UNDOCK
903 11:00:34 AM explorer.exe:1144 1576 ADJUST PRIVILEGES 0000A428: \\CRAY\MikeL ENABLED: LOAD_DRIVER
904 11:00:34 AM explorer.exe:1144 1576 ADJUST PRIVILEGES 0000A428: \\CRAY\MikeL ENABLED: UNDOCK
905 11:00:34 AM explorer.exe:1144 1576 ADJUST PRIVILEGES 0000A428: \\CRAY\MikeL ENABLED: LOAD_DRIVER
906 11:00:34 AM explorer.exe:1144 1576 ADJUST PRIVILEGES 0000A428: \\CRAY\MikeL ENABLED: UNDOCK
907 11:00:34 AM services.exe:556 696 IMPERSONATE CLIENT OF PIPE 000003E7: \\NT AUTHORITY\SYSTEM 0000A428: \\CRAY\MikeL
908 11:00:34 AM services.exe:556 696 REVERTTOSELF 000003E7: \\NT AUTHORITY\SYSTEM
909 11:00:34 AM services.exe:556 696 IMPERSONATE CLIENT OF PIPE 000003E7: \\NT AUTHORITY\SYSTEM 0000A428: \\CRAY\MikeL
910 11:00:34 AM services.exe:556 696 REVERTTOSELF 000003E7: \\NT AUTHORITY\SYSTEM
911 11:00:34 AM services.exe:556 696 ADJUST PRIVILEGES 000003E7: \\NT AUTHORITY\SYSTEM ENABLED: AUDIT
912 11:00:34 AM services.exe:556 696 IMPERSONATE 000003E7: \\NT AUTHORITY\SYSTEM 000003E7: \\NT AUTHORITY\SYSTEM
913 11:00:34 AM services.exe:556 696 REVERTTOSELF 000003E7: \\NT AUTHORITY\SYSTEM
914 11:00:34 AM svchost.exe:792 1480 IMPERSONATE CLIENT OF PORT 000003E7: \\NT AUTHORITY\SYSTEM 0000A428: \\CRAY\MikeL
915 11:00:34 AM svchost.exe:792 1480 ADJUST PRIVILEGES 0000A428: \\CRAY\MikeL ENABLED: LOAD_DRIVER
916 11:00:34 AM svchost.exe:792 1480 ADJUST PRIVILEGES 0000A428: \\CRAY\MikeL ENABLED: UNDOCK
917 11:00:34 AM svchost.exe:792 1480 ADJUST PRIVILEGES 0000A428: \\CRAY\MikeL ENABLED: LOAD_DRIVER
918 11:00:34 AM svchost.exe:792 1480 ADJUST PRIVILEGES 0000A428: \\CRAY\MikeL ENABLED: UNDOCK
919 11:00:34 AM svchost.exe:792 1480 ADJUST PRIVILEGES 0000A428: \\CRAY\MikeL ENABLED: LOAD_DRIVER
920 11:00:34 AM svchost.exe:792 1480 ADJUST PRIVILEGES 0000A428: \\CRAY\MikeL ENABLED: UNDOCK
921 11:00:34 AM svchost.exe:792 1480 ADJUST PRIVILEGES 0000A428: \\CRAY\MikeL ENABLED: LOAD_DRIVER
922 11:00:34 AM svchost.exe:792 1480 ADJUST PRIVILEGES 0000A428: \\CRAY\MikeL ENABLED: UNDOCK
923 11:00:34 AM svchost.exe:792 1480 REVERTTOSELF 000003E7: \\NT AUTHORITY\SYSTEM
924 11:00:34 AM svchost.exe:792 1140 IMPERSONATE CLIENT OF PORT 000003E7: \\NT AU


These logs are getting to me, but at least theye are in engrish, and not some quasi-decimal dudu.

I WISH that I only had the nimda, mydoom, and sasser worms all at once, compared to this thing.
I had to block all ports blah, blah, blah.

Oh boy.....

Okay, pete, I'll meet you at the White Cliffs of Dover, and would you be so kind as to video me throwing my computer over the edge, but it is not my lovely computers fault, it is all yours, wclew.

Yup, get me four pallets of heavy duty, industrial strength 'Crazy in a Drum' to me by Saturday @ 14:00H PDT.
And make them the 90 Gal.
Does anybody still tune in any more, or is this just some typing practice now.

I am just going to count to 10, then breath nice and slowly, and then nice and calmly bundle up my Glock und Shpiel 55mm rocket launcher array, and maybe go take out the prison where they have a known script kiddie, and I am all nice an calm going to release a slight buffer overflow from my cerebral gangliar grid, frontal cortex, third cupboard on the right..

If anyone knows how to work this, please, feel free to share, I am getting to the point now that I have been making 1 dollars for an hour doing this, I could have bought another computer that didn't have any crazy already installed.

I will see you tomorrow, pete61uk, even if only in spirit, but it will be nice to think about our little jaunt to hanover or duselberry to visit our buddy and pass a warm thank you his way, just for being there.

Here is a little something that my mama done taught me..
99 lines of code to debug.
99 lines of code to debug.
You takes one out and compile it again,
there 101 lines of code to debug la la la la///

Actually, it was paulhiles that I heard that from, and it might bin has big ole' daddy don tought him dat wun, you bet.

Well, I have to go and reinstall my windows ZP now, I think i'll try a new approach, and see if I can do it while I am both blindfolded, and juggling 5 bowling, and 3 ping-pong balls at one time using only my forehead - and have an auctioneer schreeching in one ear and have a dentists drill going off in the other. It is fun to see how many times it takes to input the registration key properly when you up the tension factor a wee turd.

Thanks, wclew, don't forget the ale.

Hey, rtdodger, not a bad DM type rant, eh?

I have a dream....

This is how I fight....http://www.webproworld.com/viewtopic.php?p=102752&highlight=#102752

Mike,
MLK, my favourite personality, far above Gandhi, I vouch. At times, man needs some sort of encouragement and it is there for us to follow. I never give up a fight for a cause. I never fight without any cause! For pure love and affection, you can give up anything but love!
I did post this in some other thread (Big thoughts..)

TRS Iyengar is so kind:
At times, man needs some sort of encouragement and it is there for us to follow. I never give up a fight for a cause. I never fight without any cause! For pure love and affection, you can give up anything but love!

Thank you, I need the words of faith and support, still, in this matter.

I am still having problems, I cannot even set up a server to test my webpages on because it gets hijacked and all the services rendered unavailable to me. I have so much security on here, that nothing gets to the internet without my consent, and telling me the inner workings of the 'request'.
There are dozens of processes using my internet, still.

I have a list of IP and ports, and details of every request, but when I probe them later, I get ZERO.
Does not exist.

I have located a web page that gave me a suspicious redirect request that was supposed to be cloaked to my eyes. I don't know, this is not very good still.

So If I am not around, i will be close. I will probably build a small computer here later, I have already another internet account at my disposal, and I might have to be doing fancy shuffling soon

Peace

I am only using a backup copy of my OS that I made some month's ago. I think It is in there, and run's as part of the installation.
I will find out.

LOVE

I did thus:

1- wiped hard drive, deleted MBR, completely raw
2- made 5 partitions, all various file systems, hp/nt, and up to linux/solaris swap, but no fat versions
3- i wiped it clean again
4- i made one NTFS partition of 6gig/80gig ata100, located 'high' (end of drive, instead of putting it to the first area
5- flashed BIOS twice, from v1 - v5 to v9
6- boot from cd, install XP Pro, formatting the partition first. I should also add, that I had no NIC installed, and that I disabled the onboard RealTec NIC
7- i installed chipset drvrs
8 - i installed SP1a, and all the patches and critical updates from local CD

8a (I forgot to include this) I went to windows 'add/remove programs', and then 'add remove windows components' and removed (hahaha not fuckin likely)the MSN explorer, and Windows messenger

9- I went into safe mode, and I deleted all the Messenger, MSN, and MSM GAMINHG folders from the program files, and I had to **** with the security settings to do so, denying all permissions, but giving myself complete access and ownership
I also shut off or disabled from starting, all networking, spooling, server, remote access, messenger, dcom, blah-de-be-blahblahblaqh services from starting in the admin 'services' module
10- i went into the registry, and I deleted all keys and subkeys that contained anything to do with the above program files, also cleared the 'run', run once', and 'run next start' keys.
11- i deleted all the RAS, RRA, all of the autodialer accounts, protocals, remote logon shite, etc., etc., from the registry12- I installed Norton Internet security, and encrypted the registry.
12- I configured NIS to deny or ask for all 'found' internet accessing programs, modules, and executables.
13- I blocked all ports except TCP 80
14- I installed my NIC card.
15- I CONNECTED THE UTP5 Cable from the NAT router, which is between me and the ADSL modem, which was assigned a dynamic IP (of course, it usually is)
16- I updated all Norton, and all remaining Windows security patches, including 'recommended', but did not go for anything beyond that

17- I checked the logs for NIS, and saw that 189 access permissions had been granted to windows procedures for accessing the net, from ports all over the first 4000 ports, and including the 445 and some xcommon windows functions, but almost all were for network and routing protocal.

18-I have to get some work done, so I "tried" to install IIS so I can get some php and perl and asp support locally

19- I went to addremove and tried to remove the IIS srvices because they didn't work locally, but they sure came in handy for the porn lords that inhabit my very naive and innocent computer

20- I changed all the permissions in NIS to BLOCK again, because they were put back to 'allow'

21- I took these screen shots, plainly showing that - although I actually made two efforts at removing IIS, and re-removed MSN Explorer each time, there is plainly something wrong with these pics:


http://factor1.net/mikscreen/may15%20(9).jpg

I mean, this stuff is going OUT from here!
I will just link as href instead of img src the rest, but there is some mighty nasty inhabitants to be photographically exposed in these shots of the 189 fuckers that use my computer to serve the purposes of some seriousely talented, but misguided and very sorry if I ever see them, denizens of destruction.
http://factor1.net/mikscreen/may15%20(1).jpg

http://factor1.net/mikscreen/may15%20(2).jpg

http://factor1.net/mikscreen/may15%20(3).jpg

http://factor1.net/mikscreen/may15%20(4).jpg

http://factor1.net/mikscreen/may15%20(5).jpg

http://factor1.net/mikscreen/may15%20(6).jpg
http://factor1.net/mikscreen/may15%20(7).jpg
http://factor1.net/mikscreen/may15%20(8).jpg

http://factor1.net/mikscreen/may15%20(10).jpg
http://factor1.net/mikscreen/may15%20(11).jpg
http://factor1.net/mikscreen/may15%20(12).jpg
http://factor1.net/mikscreen/may15%20(13).jpg
etc
http://factor1.net/mikscreen/may15%20(14).jpg
http://factor1.net/mikscreen/may15%20(15).jpg
http://factor1.net/mikscreen/may15%20(16).jpg
http://factor1.net/mikscreen/may15%20(17).jpg
http://factor1.net/mikscreen/may15%20(18).jpg
http://factor1.net/mikscreen/may15%20(19).jpg

Anybody knows how to help, I would be happy
Or I buy a new MoBo

Mike,

I am sorry to hear the sad state of affairs; in your computer & server, there seems to be a permenant poaching took over.

As I said earlier, the law breakers always a step ahead of law makers; There is someone definitely taking alead to encroach upon your privacy and control of your computer. A perverted one, must be, in mentality & act.

I can guess the sort of things that is disturbing your normal work. My curse to the hackers, they should never get a drop of water to drink, in their life time. Should my wishes come true, all the hackers to go, get blind at one wink. Can any one help mikmik in his trouble? Please help.

No, we are not to the policing job. Still, is it not possible to trace n track them at once. Since they go on repeating this sort, is it not possible in anyway to moniter their activities and bring them to books? If found and caught, you can even claim damages.

I pray, pray all the time, that things turn to normal sooner than soonest.

I found out how............

I will overcome hahahahahaaaaaaaaaaaaaaaa

It was what I suspected from the start, but it had symptoms I did not fully understand...........till now

+ +
0


It made hiding places, and now I know with what.

The scariest part, is that the tools, and how to use them, they are on some wild security sites.

It made virtual registry for me to play with, and wrote to the Master boot sector, besides the other shate I found in the recycler. And if you ever see Windows messenger running, after you deleted it's er...butt several times from the registry, that's not windows update putting it back all the time!

I owe this one guy an apology, it told him it was not easy to kill that IM from MS. Did I ever place around my foot a mouth haha.

I am afraid to get anything from any of my CD backups now but I was going nuts trying to manage over 800,000 files in My Documents, now I have about 8.

Is it every easy to keep them organized NOW!

I use this site to keep up with virus and worm fixes. Many utilities for a lot of security issues. Thought folks might find it helpful http://www.grc.com/default.htm

Hi,
I had version 6 of the free AVG AntiVirus, totally up to date, on my system. I was having problems, so I decided to try a trial version of Norton AntiVirus.
It detected 3 viruses running on my system that AVG had not even recognized.
I'll never go back to free anti-virus anymore, it simply doesn't cut it.

Two other awesome programs with great features are
"Spybot Search and Destroy" which gets rid of spyware and "Spyware Guard" that warns you if someone tries to install a different home page or toolbar (BHO - Browser Helper Objects) without your permission. You can find both easily using Google.

Note: Even with all these high powered protections including a firewall running on my machine, I still have to make sure that the antivirus is updated constantly using liveupdate and have to run spybot search and destroy on a regular basis. The adware/spyware is that persistent and pervasive.

I always detect "something" that has gotton through my armour.

Hope this helps :)
Dan

danno,

you re right in saying about freewares. It has its limitations and at times you cannot fully trust these thing - that too when you are threatened with lots of spams, worms, virusues and browser hijacks.

I too use AVG Av but shockingly it could not detect the viruses which were ultimately cleared by Norton AV trial version which I downloaded for that very purpose! In all 9 - trojon, netsky-I-worm etc were just hinding the AVG scanner.

Fortunately, for me, mikmik aka Mr. Mike Laing has helped me alot in getting different links and ideas that worked to perfect finish! I am, as of date (can't rely anymore the Internet breakers and hackers) running fine.

Now, I must see my friend Mike is getting out of his trouble and leading us in his usual wits. He had to undergo a lots of painful experiences, word cannot express his sufferings. But he took every step as challenge, fighting and he evantually he'll succeed.

Hi,
I had version 6 of the free AVG AntiVirus, totally up to date, on my system. I was having problems, so I decided to try a trial version of Norton AntiVirus.
It detected 3 viruses running on my system that AVG had not even recognized.
I'll never go back to free anti-virus anymore, it simply doesn't cut it.


And I've had AVG detect things that Norton and McAfee missed (not to mention Norton and McAfee seem to take a bigger performance hit when running network applications). The simple fact is that no single protection is safe. The best defense is a *lot* of common sense.

I'm a network admin, and I go to a lot of small-medium sized businesses to work on their servers and PCs. When a PC is "acting wierd", I d/l, install, upgrade, and run Spybot Search & Destroy, Ad-Aware, and run housecall.trendmicro.com. It helps if you can boot into "Safe Mode - Networking" to do this. I've found that those three things fix 95% of the problems.

Of course I don't run any A/V software, cuz I'm a rebel! (15 yrs. virus free)

jred wrote:

Of course I don't run any A/V software, cuz I'm a rebel! (15 yrs. virus free).

Let this trend and luck be with you for ever, my friend.

Now, jred, can you please go through mikmik's all the post above and suggest a fine way out!

jred wrote
I'm a network admin, and I go to a lot of small-medium sized businesses to work on their servers and PCs. When a PC is "acting wierd", I d/l, install, upgrade, and run Spybot Search & Destroy, Ad-Aware, and run housecall.trendmicro.com. It helps if you can boot into "Safe Mode - Networking" to do this. I've found that those three things fix 95% of the problems.
It is my way also, but I still run Norton, and I wich Corporate was cheap enough for my home PC.
I always keep Taskmanager handy, always checking for memery resident s before log off/shutdown, and if I am suspicious, I got to regedet, and look for 'run', run once', run next 'x' boot etc.
But having an AV scan mail and catch and delete atatchments that are malware is easily not necessary if you use common cence, I agree, but common sense to you and me, who know how to spot the very subtle signs, or be careful is there is the slightest doubt, it may not be as apparent to others. I even clicked on a spam when I was tired one day, I fell for a social engineering, and realized it just as I opened it.
Luckily, itr was benign, for the browser redirect is far more dangerous in my opinion.

I have taken one month now to finally rid myself of a "VmWare' hack, and it was compliments of a routewr seperated computer loged on to locally by someone fishy, or just plain ignorance by a concieted and careless roomate.
TRS, I am free now, and I did not bother to try to track down the guilty, they will suffer the punishment of a bitter life. You and I forge a friendchip, and respect, meanwhile.

Oh and one more jred

Of course I don't run any A/V software, cuz I'm a rebel! (15 yrs. virus free).

Hahahaaaaaaaaaa.......
Exactly what i thought to myself, and bragged about (except 'six months' instead of '15 years', I only have '24 month's' computer experience)

Last thing i said before my 'discovery'...sigh... :o)

mikmik's happy hour:

TRS, I am free now, and I did not bother to try to track down the guilty, they will suffer the punishment of a bitter life. You and I forge a friendchip, and respect, meanwhile.

Oh and one more jred

Pero mi preocupación es, cómo prevenir este tipo de repetición en futrre, como no teniendo ningún conocimiento técnico básico, Estoy asustado incluso mantener mi cable del Internet abierto durante
mucho tiempo. Debe haber un extremo a éstos tipo de agression y de escalfar.

Ti for Ta!

I don't think it's possible to avoid all of the malware out these days. You can minimize it by using a dsl/cable router, running a software firewall (like Zonelab's ZoneAlarm), keeping your antivirus software up to date, and running anti-spyware weekly (Ad-Aware is a good one).

I have a poster on my wall with the caption "The only truly secure computer", and the picture shows a computer with the power cord cut. Still, if you do the above, you'll be reasonably safe. In the cases of anti-spyware and anti-virus, I'd recommend double-checking occasionally using multiple products. No application is perfect, and that will help keep things from falling through the cracks.

I really didn't mean for my previous post to be inflammatory. I just wanted to point out that both free and paid software has flaws, and running a free a/v (AVG) is better than nothing. Well, unless you're me, but I've always been ornery :)

jred

You're right; no single product can be trusted for all the time. Every product has its own limitation, flaws and formations, I agree. In our own best interest, one has to safegaurd and take all the possible precautions.

I appreciate your suggestions. It is better each one takes a policing job, atleast concerning their own property!

Two Trojans in two days:

Backdoor.Mosucker.DN and Backdoor.NetsnaHkey.Current.Users\Software\

The first, was masquerading as csrss.exe and was picked up by AVG v7. I had to confirm the root before completely deleting it (in case it was an AVG aberation?).

The second, could be false as it was detected by a free on-line scanning site which, once detected, it refused to clean unless I paid for the software to be licensed?

Routinely in use, a combination of:

AVG v7
Ad-aware v6
Window Washer v5
Hijack This, and
Zone Alarm

Hi,

I was only referring to Anti-virus programs.

I also use
Spybot Search and Destroy
Spyware Guard (Browser Helper Object(BHO) Detection)
Spyware Blaster

I haven't noticed any performance hit from Norton.
You can disable alerts on email checking(the little boxes that pop up in the system tray), which may be what you are referring to.

It "is" true that even with all these things running
you still have to be vigilent. I don't know how
many times I've removed SRNG from my system!

By the way if you want a powerful Spam blocker
do a search at Google for "Apocgraphy".

Danno

donno,
Thank you very much for your suggestions. I already, with the help of mikmik, set right my computer and now iy is working fine. Still I shall try search and find the link given by you for more alerts. Thanks once again for the suggestion and help.
Regards,

After reading many complaints from members regarding their computer break-down, now it is my turn it seems.

Often the stupid machine goes off winking and blinking; warns me of impending threat! Demand reboot at every time I switch on. I have the AVG anti-virus, but that too strucks at a particular level while scanning. Donno what really happening here.

Does anyone there out to destroy only WPM sites n computers>< ? When I checked in my log at the site, I do find some suspicious activities going on. Need to build a firewall, all around!

Your first problem is AVG. That has to be one of the worst antivirus programs on the market. This is why they give it away for free.

syc

Yeh, I agree. Everything that comes to you free has its own limitation. You ought to have a trusted one for any purpose that is paid and registered. Surely, paid services are far above others. What AVG failed to detect was easily caught by NAV! It is not a suprise as I understand, all the freewares are of with minimum service utilities.

pete61uk, the MVP wrote:

Routinely in use, a combination of:

AVG v7
Ad-aware v6
Window Washer v5
Hijack This, and
Zone Alarm

Certainly it helps. What one product fail to get is caught by another. I am wondering, how a competitor product can send in a virus and detect easily to boost their sales! Can one fully rely on these money spinning modalities? For some other reason, I do get the doubt, whether the virus script writers are paid by some of the anti virus sware manufacturers!

Well, I don't know how the rest of you are doing, I've not been on-line since last Friday and I'm suffering from WPW withdrawal. My email/spam accounts must be overflowing by now?

My system is either taking a sebatical or there's trouble afoot?

The problem, when I can access the system, is no matter how many scans I do - I even did a couple of on-line scans before coming here - or how many times I re-format the drive and re-install Win2K, I can't detect anything wrong. The symptoms (below) return as soon as I have to reboot. I'm not sure if its a software or hardware fault?

Anyway, see what you think:

The problem occurs when the system boots up. All seems well until windows starts to load. The countdown well, winds up and, when you think its going to open, a message begining "STOP" - its too fast to catch the rest (?) - appears at the top-left screen and it returns to the system re-boot, again, and again, and ...... you get the picture.

I've tried all F8 options and they don't function. My only means of access is using the Win2K setup discs. All I can do is a complete disc format and re-installation, a repair doesn't cut-it?

I'm assuming that when I finish this sojourn and test-boot the system the fiasco will resume, until I go back through the re-load process AGAIN!?

Anyway, on the assumption that I'm correct, I'll try to get back on-line tomorrow and see what pearls of wisdom follow.

Cheers.

Have you tried formating the MBR?

Many destructive viruses damage the Master Boot Record and make it impossible to start the computer from the hard disk. Because the code in the Master Boot Record executes before any operating system is started, no operating system can detect or recover from corruption of the Master Boot Record.

Just a thought

Thanks Wen,

I'm not sure it is a virus. As already mentioned, I have completed virus scans using both off and on-line utilities and nothing has come up.

As regards MBR, I can't find anything in the Windows help files on this. However, I have produced another ERD (is that what you mean?) and will see if that has any use. The earlier one wasn't accepted?

Once the reboot cycle starts - if it is going to happen it does so on start-up, or after a normal re-boot as required when putting on new software - the only useful thing I have been able to do so far is access the system via start-up discs and complete a disc re-format and windows load.

My latest thoughts are that it could be either:

A faulty hard drive, or
Faulty SDRAM or other onboard memory chip/card?

I've downloaded utilities for testing both and will see what, if anything, comes up?

Thanks for your assistance

Send me your phone number. NOW! LOL

I have helped cyanide over the phone, and it is good because I can look specific things up any we try them.

I have a deadly Long distance plan, so let's have 'er :O)

I mean it, I was thinking of calling anyways.

But I will be back with some info, it is stuck at the back of my brain, but I know that i fixed that before for a client.

wen has wise words.

Pete, you may have a bad hard drive (not likely at all, not at all), your Installation CD is not good, or maybe what wen says.

First, look for suspicious partitions.
then run disk diagnostics.
Then zero your drive
Last (for now) flash the BIOS.

wenwilders wrote (-_^)
Have you tried formating the MBR?

Many destructive viruses damage the Master Boot Record and make it impossible to start the computer from the hard disk. Because the code in the Master Boot Record executes before any operating system is started, no operating system can detect or recover from corruption of the Master Boot Record.

Just a though
You are right. it only takes as little as a 3 BYTE!!! change in the size of the MBR to hide enough code. There are also CMOS tricks, and there is often enough room in the BIOS boot sector (it is 64 bytes in size) to sidetrack stuff.

I know, I had it all.



PETE61UK
First, you have to look and see if there are any wierd partions on your hard drive. They are hidden from normal views, this is the only way to see them. Get this, make a floppy with it, and boot up to floppy. It will take over, and it even has a desktop interface!
DO NOT INSTALL THE EMBR!!!!! Well you can but when the 30 days is up, you lose all your formatting, including any data you had on your hard drive, I FUCKING KNOW LOFL!
Hit 'Cancel' and then 'manage partitions' (or close to that)
http://www.terabyteunlimited.com/bootitng.html
The link is on the bar at the top.
Now, if you see any fat12 or fat16 partitions named "ʽñ¤¬" or "ꥫ¥Ð¥ê" or I had this TWICE!: " û û " (!) Yes, that is what they have for names, if you see that, delete them, you have been seriousely invaded, but it is all over now!

Then, you can use secure delete and you don't have to worry about the others here, just reinstall.

Why would I want to Zero Fill my drive?

The most common reasons to Zero Fill an ATA (IDE) hard drive are:

1. The drive has contracted a virus that cannot be removed without destroying the boot sector.

2. You are changing from one operating system to another and wish to remove everything from the drive

If you have Western Digital hard drive go get this


Software & Drivers

Quick Links
Data Lifeguard Tools

* Data Lifeguard Tools V. 11.0
* Diagnostic Utilities
* Data Lifeguard Diagnostics for Windows

Data Lifeguard Tools V. 11.0
Data Lifeguard v11.0 for Windows
98SE/2000/ME/XP
September, 2003
(3.47 MB)

Data Lifeguard v11.0 for DOS
ZIP Version (1.56 MB)
EXE Version (1.74 MB)
98SE/2000/ME/XP
September, 2003

The downloadable Data Lifeguard Tools now comes in both DOS and Windows versions and was written specifically for the installation of Western Digital EIDE hard drives. If your computer system already has a hard drive installed with an operating system of Windows 98SE or greater, you should use the Windows version of Data Lifeguard for best results. The DOS version is required if installing a hard drive in a new system without existing operating system support.

New features:
* Certified to work on all current WD drives (model numbers starting with "WD")
* Friendly user interface and easy to use
* GUI Interface Drive Installation Software
* Printable tutorial customized to help you optimize your configuration
* Improved drive to drive copy capability
* (Windows version) Will work with Windows 2000 SP3 and Windows XP SP1 to overcome the 137GB barrier without the need for a controller card
Diagnostic Utilities (http://support.wdc.com/download/#diagutils)
DLG Diagnostic
Ver. 5.04c
ZIP Version (1,538 KB)
EXE Version (1,823 KB) Extract it, and/or run the EXE and make a boot floppy. Then you can test your hard drive, and write zeroes, called a low level format. WARNING!!!!!!!! I did a full low level on an 80 gig with a 3 gigahertz machine here, and it took 9 hrs. and 40 minutes. You just have to do the first and last 100 Mb (I think those are the numbers) and your MBR is vamoos.
If you have a Maxtor, this one: Download Powermax (http://www.maxtor.com/portal/site/Maxtor/?epi_menuItemID=3c67e325e0a6b1f6294198b091346068&epi_menuID=976d37cd478c5826433f226075b46068&epi_baseMenuID=976d37cd478c5826433f226075b46068&channelpath=/en_us/Support/Software%20Downloads/ATA%20Hard%20Drives&downloadID=22)

Download PowerMax

* File Name: powermax.exe
* File Download Size: 929 KB
* File Version: 4.09
* Revision Date: 04/12/04
* Compatible Operating Systems: Windows NT, Windows XP Home Edition, Windows 2000, Windows Me, Windows 98, Windows 95B, OS/2, Windows XP Professional

The PowerMax utility is designed to perform diagnostic read/write verifications on Maxtor and Quantum hard drives. These tests will determine hard drive integrity. The PowerMax utility is effective on all ATA (IDE) hard drives with a capacity greater than or equal to 500 MB. Maxtor recommends the use of this utility for troubleshooting potential hard drive problems. These problems include, but are not limited to the following:

* Potential hard drive surface problems (e.g., bad clusters, bad sectors, partitioning/formatting problems, etc.).
* Drive recognition problems (e.g. hard drive that is not recognized by the operating system).
* Software removal

It works thesame, make a floppy, and it is all follow the instructions. It is really very straight forward once you get started.

Seagate SeaTools Diagnostic Suite is Seagate's exclusive disc drive diagnostic software designed to troubleshoot most Seagate hard drive issues. (http://www.seagate.com/support/seatools/)

Discwizard (http://www.seagate.com/support/kb/disc/faq/ata_llfmt_what.html) for formating low level

Pete sounds your are almost ready to give Linux a try?

The conversion can be very easy with a distro like the one I use.

Insall windows then install linux with Lilo or grub on a floppy
then boot (floppy out= windows floppy in=Linux).

http://www.knoppix.org/
Knoppix, burn the iso to CD, boot from it, viola!

Mushroom, you seen this???!!!
ftp://ftp.gwdg.de/pub/

A-bloody-mazing!
Browse the docs folder..........to much. I thought that IBM's ftp site was cool, and it is, if you are into , well, it is pretty damn good too!

mushroom, not too sure about the Linux. I think it a good step were I to become more familiar with windows first?

wen, mikmik. My own tests have led nowhere. Both hard-disc and memory tests showed no faults.

Have downloaded Memtest86+, an in-depth memory testing utility and, as recommended, BootIt NG and SeaTools Diagnostics.

Now, if only I can get SP3 on my system I'll be able to read the BootIt NG pdf manual?

http://www.knoppix.org/
Knoppix, burn the iso to CD, boot from it, viola!

Mushroom, you seen this???!!!
ftp://ftp.gwdg.de/pub/

A-bloody-mazing!
Browse the docs folder..........to much. I thought that IBM's ftp site was cool, and it is, if you are into , well, it is pretty damn good too!

I carry a copy of Knoppix, Suse 9.0 Live Eval and Suse 9.1 Pro around in my car and have exposed a few people to the power Linux. M$ has its uses but is not safe enough to use on the internet.

I do not use ftp sites very much as I find to comercial distro so convinent and hasle free.

Dual booting makes transion easyer.

pete61uk

I also carry around a floppy with the ulimate boot disk on it that I use to errase the MBR and write whole hard drives to 0's

It can be found at http://www.docsdownloads.com/ubd.htm

mushroom, ( a good BC product lol), you posted:

It can be found at http://www.docsdownloads.com/ubd.htm

So, like that is a pretty DAMN DECENT link there :O)))))))))

They have RegCleaner there!!!!

I still have a copy of the last release version of jv16powertools, but I like regcleaner!

THANKS!!

Progress Report:

Ran the Seagate "SeaTools" utility. As suspected, and confirmed by this test, the hard-drive is in good nick (condition).

One thing that did arise in the Controller Test that could be odd (?) was:

Conventional memory size - 639K
Extended Memory Size - 58532K

Is this usual?

Next up, run the BootIt NG test utility. I've also downloaded the "Ultimate Boot Disc".

Finally, with regard to Wen's earlier suggestion (I've had a little read). "Formatting the MBR".

Would that be the Command Console utility "Fixmbr?"

Status Report:

Hard-drives - No fault found (NFF)
Memory - NFF

No mysterious processes are evident in the task manager!

On using BootIt NG, no mysterious partitions were found. I did try downloading mushroom's utility of choice the "Ultimate Boot Disc", for another check but (for whatever reason) it didn't work?

WIN2K Pro System Disc - Knackered:

The system disc was found to have a hairline crack, starting from the centre-out and not, without close inspection, visible. That only became obvious once file errors started to occur, but has nothing to do with the core symptoms as presented.

Fortunately, I had a second copy of the disc available. I can only put the disc failure down to the extended use its had in either re-formatting the disc for another "clean install" or during the inumerable repair processes carried out.

Motherboard - Gigabyte GA-7ZX-1 Rev 1.01
BIOS (on system) - 2.05.19.03 CRT

I don't recognise the BIOS version? I did try to use the @BIOS on-line upgrade utility to download the current rev but it failed. Came up as "Flash not recognised or BIOS write protected?"

On trying to access the BIOS settings I found that they were password protected, something I hadn't setup, and only managed to get into (eventually) - its a bit of a lottery every time I reboot or power-up here - by removing the motherboards' battery. However, after putting all the settings to where they should be - I (duffus) did forget to enable USB and only realised the error when my network adapter wasn't seen - on trying the @BIOS utility again, it still failed?

Now, on looking on the Gigabyte site there are two possible BIOS versions for my system, I've requested that Gigabyte specify which of the two I should use. Of course, that still leaves me wondering how I am to apply it when the @BIOS utility didn't function????

So, that's it to-date. I'm knackered, wondering if every time I do a repair or attempt a re-format and clean install my setup discs, created during this process, are causing the problem to rear-up yet again?

Yours, definately NOT chilling-out,

The last time I tried the @BIOS utility (GA7VAX), it was just about done, then to my HORROR!!!, the screen says "Write error. BIOS failed"\
I have never been so choked, and when I rebooted, my computer was (+_+), dead.

I had dual bios though, and recovered. From that moment on, I have always flashed my own, and now it is like a piece of cake.
I looked at the US site, saw two BIOSs for you, so take the newest one.
It is funny, the BIOS corrects an error that occurs when you flash the BIOS!

Here is the manual page for instructions:
http://uk.giga-byte.com/MotherBoard/Support/BIOS/HowToReflash/HowToReflash_1.htm

or, right click, and 'save as' this link directly to the pdf : http://uk.giga-byte.com/MotherBoard/Support/BIOS/HowToReflash/pdf/flashbios_dos.pdf

You have make a floppy boot disk, get this one Windows 98 SE OEM | Alt here: http://bootdisk.com/bootdisk.htm

Make sure that you have a good floppy, sometimes mine are old and not working 100%, so try booting to dos with it first, or even just make sure that you can copy stuff to it and get it back, like a jpg, or word doc. Then you know it works okay.

I hope all this helps, but I will remember to click the 'Watch this topic for replies' link...right now!

Top o th' morn to ya, lad!

WINDOWS SHUTDOWN & RESTART CENTER
TROUBLESHOOTING in 15 STEPS (http://www.aumha.org/win4/a/shutdown.php)

This could be an obvious question but if I can't produce a boot disc with my operating system (WIN2K Pro) why would one for an earlier version (WIN98) work?

What's that http://bootdisk.com/bootdisk.htm "makeboot.exe" in the Win2k section?

I have to dive out right now, but will try to return in a few hours. That, or sometime tomorrow?

The native instruction set for PCs understands DOS, which is the 'kernel' that the earlier versions of windows were based on.
Now, srting with Win2K, and including XP and NT4+, the kernel it "NT" instead of DOS. Even the file ntdetect is a command file, which is dos. (It is one of the two 'startup files' that begins the Windows loading process.

Anyways, that is why the old disks work for booting up your PC, and even the BIOS flashing (whatever it is called flashing for, I don't know) utility is dos based.

It is like everything is STILL a reflection of the begining languages, like Visual Basic and others started with 'BASIC', etc.

The 'makeboot.exe' is four floppies worth, and it makes the beginning blue screen stuff if it isn't possible to boot from your CD drive to install win 200, or XP. It doesn't give you the ability to do anything, just watch it say "setup will now inspect your disks for any previous Windows installations" and all that, and gets you to the first reboot that then loads the first part of the windows with the pretty colors, and says "Windows 2000" .

I need some sleep, and I have some stuff to do, will check in about two hours.

Hang in there, you will get to start charging people for fixing their computers soon, with all this tech stuff.

Plus, you sometimes get to keep their old parts, that aren't so old sometimes LOL

See you later :O)

After a lot of search for some server that answers my needs, I found one at nexpoint.net (A canadian Site!) and now totally moved to the new server.

I suffered and struggled a lot with net4india the worst ever experience of an Indian web server. They never even respond to my queries nor did they help when needed. Now I am a tension free man, after shifting to www.nexppoint.net

Mike wrote:

Plus, you sometimes get to keep their old parts, that aren't so old sometimes LOL

That's why I am not throwing them out! You need it more when you;;e in real trouble!

Guru! I agree, you need some sleep, go n get it. I would like to see your next post on the subject, that you wanted to teach us!

Iyengar, if your'e lucky perhaps (if asked) your new hosts would extend their services to include a return ticket to Vancouver. Only an hour or so south of Kelowna you could be quaffing Romulan Ale and Saurian Brandy with mikmik before the jet-lag sets in?

Fault Status and Thoughts wrt Diagnostics Progress:

Glossary :-

No fault found = NFF
It didn't work = NG
Emergency Repair Disc - ERD



From what material I have read, both through the excellent links in the Security Issues section and those provided within this thread, together with the suggestions made so far, I can conclude the following:-

The only symptom is a continual re-booting of the system with the momentary display of a "STOP" error notification on each cycle.

That a Stop error is provoked it is usually assumed to be a physical hardware or incompatible hardware driver fault, just see all the reports listed in the Windows diagnostics pages. However, just to put a fly in the ointment, it can also be provoked 'somehow' by Anti-Virus Software?

That last suggestion has fed a little seed of paranoia within in as much as by coincidence I had recently been using what I will term a "student copy" of a well-known Anti-Virus Software. Other than that, the only other events of consequence around the same period are that I had up-graded my ISP account to Broadband - with a USB connection - and had (in error) loaded a program with Window Washer active. It prevents registry changes!

The last could be a red-herring, and probably is. However, note to self. REMEMBER TO DISSABLE THE DAMN THING BEFORE LOADING NEW SOFTWARE!

OK, back to so-so-sanity.

1st, assuming, as we all do, that some scum-sucking parasite - having, as they do, the ability to remove all joy from the world - has infiltrated my system, once I had managed to regain access I completed numerous on and off-line scans of the system - NFF.

2nd, assume you got off lucky and, because you have to run either a repair or reload everytime the cycle resumes anyway, its a "Windows fault", re-format the hard drive and re-load the system (repeatedly) - NG.

3rd, and while you can still get on-line, post a message in WPW hoping someone will take pity on you and offer constructive advice.

4th, follow the advice you can understand. These people are both clever and have experience of this kind of hell with most having survived with only minimal disturbing side-effects, e.g. Pie fixation; Pink Bunny suits; Romulan Ale addiction; Jell-O, Jell-O Wrestling, etc. etc., - so they can be trusted. Oh, and don't forget to ask for clarification of the instructions you don't understand!

5th, back to the possibility of a hardware or driver failure/corruption, test your system. Sources of diagnostic utilities are first to be looked for on the manufacturer's own web-site:

Motherboard

The motherboard manufacturer, although they will probably not have a utility for testing will have (if you don't already have one) a downloadable copy of the manual and update facilities for the chipset drivers, system BIOS and a Flash program for updating it?

*Check that the BIOS write-protection, if in use and not found (assuming you can access it) in the setup utility, is not a physical link on the motherboard itself. Mine, a Gigabyte product, has a jumper link at J10.

Action - Downloaded the available software, implimented it, and re-applied the BIOS write-protection!

Hard-drive/s

Most manufacturers will have either an on-line test facility or a downloadable Dos utility so's the drive's integrity can be tested off-line. Also, this might include a tool for the low-level formatting or "zeroing" of the drive? If not there are many free utilities available on-line.

Action - All of the above = NFF.

I re-loaded the system on a "clean" drive then, as each service pack was implimented, produced a seperate backup of the entire disc (WINNT and system files, and the test utilities/firewall and anti-virus software loaded).

Also, so as to have additional "on startup" options, just a suggestion, produce sequentially upgraded system "profiles" and replace the "ERD".

Not "forgetting" the Memory

I'm not sure if my manufacturer has a testing facility or off-line utility. Ones that were recommended are MemTest86+ and a utility designed by IBM. I used both on mine. Results = NFF.

For other hardware not listed, check that the existing drivers are not corrupt. If still no good, check the Microsoft compatability list and/or if they have a driver they recommend.

The state of play as I write, I've only re-booted a few times and have only twice started up from scratch. Having previously gone through some 20+ re-boots without the fault occuring, and then (dammit) it did, you'll not be suprised if (like my aching bod) my confidence is in need of a massage.

I've replaced the, ahem "student copy" with a legitimate FREE copy and, since it didn't like the driver supplied for the USB connection, I've fitted an ethernet card.

So, still testing before I re-load the bulk of the software I really need to use, "the jury is out!"

Pete61uk wrote:

So, still testing before I re-load the bulk of the software I really need to use, "the jury is out!"

What a pitty, the Jury is out and it seems the "IN-jury" it caused to you and your computer!.

Pete's quote:
Iyengar, if your'e lucky perhaps (if asked) your new hosts would extend their services to include a return ticket to Vancouver. Only an hour or so south of Kelowna you could be quaffing Romulan Ale and Saurian Brandy with mikmik before the jet-lag sets in?

yeh, I am told they will give a free to and fro ticket to Canada and also a fortnight's free stay but only on the day, when pigs start flying. Hheheh, in the meantime, let the SaurianB and R.Ale get riped till I reach!

Your diagnostic system is really jerking my mind. The computer Dr. Mike should take a note of it for conducting a further Post Mortem. (if your stupid machine is still on, then kill it to find the perfect reasons for its failures, enable conduct a PMortem). He'll do it so in a nice manner, provided he is returned from his long pending Holidays from his back yard beach.

I think I can confirm that my weeks of pc induced hell are not necessarilly the result of viral attack? However, for the sake of continuity, unless someone objects, I'll continue here. Hopefully, to a successful conclusion?

Progress has been achieved is in as much as the cyclic re-booting has appeared to stop (pun intended). Now, although the "Stop" errors continue, there is a break during which a memory dump is carried-out. At least I can now use the diagnostic aids (such as they are) provided by the software. Does anyone know how to access a .dmp file?

Three errors so far, of which the 4 parameters used by microsoft are shown below where:

Param 1 = Memory referenced
Param 2 = IRQL at time of reference
Param 3 = 0: Read; 1: Write
Param 4 = Address that referenced memory


0x000000D1 (0x00000073, 0x00000002, 0x00000000, 0xEB7121C3)
Base at EB70000

0x0000000a (0x0100005a, 0x00000002, 0x00000000, 0x80064cb9)
Microsoft Windows 2000 [v15.2195]

0x0000000a (0x04018008, 0x00000002, 0x00000000, 0x80064cb9)
Microsoft Windows 2000 [v15.2195]

Different to the system configuration when still cycling, errors 2 and 3 both occured during the mailwasher delete/bounce function. It is the "professional" version which, if I can get a "basic" copy, I'll remove/replace it.

Right, the diagnostics continue. Any pointers?

Pete, I cannot get through to you via 'telephone' for some reason, so I guess we will continue here.

There are two other possibilities (I can't believe I didn't think of these first grrr)

You may have a power supply problem, or an overheating problem.

Number one to do is to blow out your heatsink and fan!

If you get a can of the compressed air, and clean out the fins and the area between the actual fan and your heatsink, it may do it.

had a case (LOL) where the person had a buildup up dust that formed a mat between his fan and heatsink so that no airflow was getting into the fins. His computer was acting like yours.

Good luck with that one, mate :O)

mikmik wrote:

"You may have a power supply problem, or an overheating problem."

A good suggestion and, coincidentally, I heard of that too. I had been monitoring the system and IC temperatures, which were both within operating parameters.

However, when I checked all my hardware connections I looked at the fans and heatsink also, and yes, there was an accumulation of crap on them which I duly cleaned off. No effect though!

Question1: Is it possible to check the operating temperatures through a Win2k utility instead of through the "delete" Bios pages?

Question2: .NET. If I'm not using my pc to network is there any point in leaving it on my system?

Further to my last, I removed the mailwasher pro version and replaced it with the down-graded freebie. However, the STOP errors still persist during the delete/bounce proceedure.

Action: I've contacted them to see if they were interested. No reply as yet.

Also, woohoo - not a STOP error - when I tried to go into "standby" mode, it refused, citing an nVidia Riva TNT2 Model 64' driver error.

Action: Got on to the NVidia site and downloaded the latest Win2k driver. On test that fault was cured!

Ah well, still testing, but at least I can (so far) use my beloved Office 2000 Pro and Macromedia software.

Get hardware router with SPI (stateful Packet Inspection) Firewall, they are in-expensive and are better than software firewalls, you should have both.

Make regular backups of your computer systems.

you should have windows update turned on to automatically update your machine.

should have updated antivirus software (I prefer Norton Corporate edition)

Should have Anti Spyware (Miscrsoft Defender is a good option).

Avoid using IE, and Switch to Firefox.

don't download Gator, Smileys and free screen savers.

Fine, I got this reply almost after two years of settling down with my computer working perfectly. NAV latest version installed. Never download any sort of screen savers, spyware/malwares are kept at distance.

Oh, regular back-ups in H/D as well as in the CD are taken. Now all fine, smoothly going.

Thanks a lot, tho belated, still worthy to listen to the veterans. Sorry, I failed to notice your reply as no longer watching this thread!