If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
Arrogance Punished -OR- The Scourge of thanatoid -OR- I'm "fooqué" (as they say in Montreal)... IOW... HELP!!!
Well, it took almost 20 years but it finally happened. It's
amazing what a small batch file (maybe not so small - it has vaporized... read on) can do. Those bored with my gargantuan posts can just skim over most of it (please read the SUMMARY paragraphs), but I would really appreciate specific answers to the four numbered questions, as well as general advice. (My KF is disabled, so go for it, denizens of aforementioned ;-) Using Compaq EVO-D510 SFF. One 80GB HD, one CD burner, a riser card with two horizontal PCI slots, and ( a post from a couple of months ago) the Compaq BIOS does not allow for more than one device per IDE channel, I checked - relevance below. I was running 98SELite, as always, using Opera, on two or three sites requiring javascript etc. - otherwise I would have been using OffByOne and this /probably/ would NOT have happened. The firewall was on, of course, but the ESET internet monitor/file monitor were /not/, as I do not believe that is REALLY necessary - I /may/ have to reconsider that position ;-[ Script sentry was on, but it does nothing with batch files, just scripts of all kinds. And it works great. SUMMARY (2 paragraphs) So, everything was fine, when all of a sudden my mouse and keyboard became possessed. Basically, it was like the left and right mouse buttons and Ctl and Alt keys were being randomly activated, FAST. I turned off the ADSL modem, and ran TaskInfo. There was a batch file in my temp (either c:\temp or C:\win\temp) directory which was NOT supposed to be there. It was running. I shut down the machine. I can't remember the file's exact name, but it was short, 5 or so letters, no weird numbers or figures. Boring (yet important if you don't want to ask about stuff I *already DID*) details: When I restarted, the same thing was happening. (And it remains the current situation, although one might say the virus is /less active/ than it was (as if it had a built-in downward slope). But the machine is unusable, plus, while the virus appears fairly non-malignant, just annoying (ALL user control is NOT affected, you just have to click and move the mouse a lot - and fast, to get in between the virus activity bursts) - who knows what it will do next? So far my data appears intact [AOT the system] but FUD are definitely having a big party at the lair of thanatoid at the moment. So after the reboot, I ran TaskInfo again - no batch file running. I searched for batch files on the C: drive and only found the few I wrote myself and have always had. /Nothing new./ I ran Restoration (still the only undelete program that is not 5-20 MB and actually works BETTER than any of /those/), searching for a bat file, nothing. I thought the file might have deleted itself after doing whatever it was supposed to do. It must have, since it is NOWHERE to be found, deleted or present. I rebooted, deleted the swap file in DOS, and rebooted again. Virus still active. I thought, OK, I'll reboot to XP - XP should be OK, right? Same thing. Then I realized XP reads several files on C. Then I tried to boot Damn Small Linux into memory, it would not (I /have/ successfully run it in the past). I went back to 98, and, since I just happened to update the ESET NOD32 signatures a couple of hours earlier, I ran it. The virus seemed to be paused by ESET running, but while ESET scans boot sectors and all memory, as well as everything else, it found nothing. I went back to XP and ran MalwareBytes Anti-Malware (or whatever it's called - I only see 8.3 names now...) - nothing on either C: or the XP partition. While running MBAM, virus activity appeared to pause as well. To make a long story a /little/ shorter, I removed the battery, cleared the CMOS (several times, different hard- and soft- methods), first restored an old saved MBR, then (when that did not help) created a new MBR, and finally restored an Acronis image after moving current C: data to another partition. I should mention that the virus /appears/ inactive in DOS. Well, who knows - but nothing weird /seems/ to be happening AFAICT. Well, when the restored Acronis image (which I believe contains the MBR in the first sector - I am extremely ignorant about some basics) exhibited exactly the same behavior, I started thinking WHAT the damn thing could have infected ELSEWHERE than the HD... Unless it is hidden /somewhere/ and ****s up the MBR every time I boot - I don't know much about viruses and what they are capable of. I tried Damn Small Linux again - this time it DID boot and ran in memory... Get ready for this... Sigh... DSL /appeared to exhibit/ - although to a CONSIDERABLY smaller degree - a little of the SAME behavior - a DOS-like window (whatever they're called in Linux) would highlight some lines of the window depending on mouse movement, and I /think/ a menu or two popped up without any clicking on my part. And the mouse appeared to be malfunctioning. (OTOH, having only ran DSL a couple of times before, and for a VERY short period of time, and already being in a somewhat altered state of mind, my perception /may/ have been mistaken - I don't know.) So... Having never had to deal with this kind of thing before (I got a virus in a POP email once, but it could not do anything, maybe because I had all scripting disabled at the time - it was hell to remove though), I thought the following: QUESTION 1. It could not have messed up the processor - first, I do not believe that is /possible/, second, DOS seems to run fine. QUESTION 2. AFAIK, the level1 and level2 caches clear upon a reboot, just like RAM does. I considered whether a batch file could alter properties of RAM and stay in it ANYWAY, but I do NOT believe that is possible. Also, there are NO RAM cleaning utilities on the Hiren's disk which would lead me to believe RAM is irrelevant as long as one reboots. QUESTION 3. Since I wiped the CMOS/BIOS (I still do NOT understand the difference between them, although some people have tried to explain to me), and have restored (a few times) and then /written/ a new MBR, PLUS restored a perfect Acronis C: image, I have NO idea where this damn thing is living. I have the option of removing the CD burner, deleting all the root files on the /current/ booting 80GB drive ("drive Z") using XTreeGold, putting drive Z on the CD drive's IDE channel, and putting in my old 40GB ("drive X") on the other - booting - IDE channel. (I believe I don't have to physically move the Z drive, just deleting all c:\root files will make the machine boot from the X drive, but just in case...) BUT - since what is happening is quite inexplicable, I am afraid of contaminating my X drive. If the virus /is/ somewhere on the Z drive, and neither ESET nor AntiMalware can find it, I would imagine it is quite capable of infecting the X drive even if the computer boots from the X drive and the virus is somewhere on Z which one would /think/ would then just contain data - and a disabled OS (well, two disabled OS's 98SELite and XPSP3). Further infection /might not happen/ if I just use a LFN utility in DOS and copy stuff to the other HD, or copy to Flash drives using a DOS USB driver from Hiren's, but then again it MIGHT. IOW - ATM I am afraid to put the X drive on the other IDE channel or use Flash sticks. No one likes this kind of stuff, even I am no exception... I am VERY seriously considering running BeOS/Haiti or some Linux [for all internet access, but ultimately for everything, possibly] from a flash stick (fortunately, my BIOS allows booting from a USB device) but ATM I am not putting /anything/ in the possessed computer. [Although - apart from the indignity and misery of being screwed and humbled in my arrogance - I have really enjoyed being internet-free for a few days... Do y'all think internet use might be addictive? ;-#) (I spent an enjoyable 6 hours destroying a fourth old phone in two years while trying to fix it. Soldering isn't as easy at 55 as it was at 25... But getting soldering iron /burns/ sure is... Fortunately I know about the "run for the freezer and press the burn against something at -18° Celsius" instant cure.)] But I digress... I have /heard/ of viruses which resulted in "the entire computer going in the trash" but I am not ready to accept that - although I might /have/ to accept it /eventually/. QUESTION 4: IF the infected computer /is/ history, and I build a new one and using a Linux version which can read FAT32 Windows partitions, copy various standard format data from the infected HD into Linux - I am risk free, aren't I? I am sorry this was so long but I thought I might as well provide ALL the information I could think of. I am writing this on my trusty 1997-built PI 166MHz running 95B and sending it via a 33.6 modem. I will do some Googling and look around some security sites but I thought I might as well humbly ask for suggestions. IOW... P L E A S E H E L P! -- You know, that viruses never really sleep And that hackers never blink their eyes And that, you know, cats are the only ones who blush And that the ****in' web... is just to die - thanatoid (with /profound/ apologies to Lou Reed) |
#2
|
|||
|
|||
Arrogance Punished -OR- The Scourge of thanatoid -OR- I'm "fooqué" (as they say in Montreal)... IOW... HELP!!!
"thanatoid" wrote in message
... [...] Script sentry was on, but it does nothing with batch files, just scripts of all kinds. And it works great. ??? [...] So after the reboot, I ran TaskInfo again - no batch file running. I searched for batch files on the C: drive and only found the few I wrote myself and have always had. /Nothing new./ I ran Restoration (still the only undelete program that is not 5-20 MB and actually works BETTER than any of /those/), searching for a bat file, nothing. I thought the file might have deleted itself after doing whatever it was supposed to do. It must have, since it is NOWHERE to be found, deleted or present. Gone, or hidden. [...] Well, when the restored Acronis image (which I believe contains the MBR in the first sector - I am extremely ignorant about some basics) exhibited exactly the same behavior, I started thinking WHAT the damn thing could have infected ELSEWHERE than the HD... Unless it is hidden /somewhere/ and ****s up the MBR every time I boot - I don't know much about viruses and what they are capable of. QUESTION 1. It could not have messed up the processor - first, I do not believe that is /possible/, second, DOS seems to run fine. That's not a question, it is a statement. QUESTION 2. AFAIK, the level1 and level2 caches clear upon a reboot, just like RAM does. I considered whether a batch file could alter properties of RAM and stay in it ANYWAY, but I do NOT believe that is possible. Also, there are NO RAM cleaning utilities on the Hiren's disk which would lead me to believe RAM is irrelevant as long as one reboots. Another statement. QUESTION 3. Since I wiped the CMOS/BIOS (I still do NOT understand the difference between them, although some people have tried to explain to me), and have restored (a few times) and then /written/ a new MBR, PLUS restored a perfect Acronis C: image, I have NO idea where this damn thing is living. Hardware or firmware issue seems more likely especially after this *statement*. [...] |
#3
|
|||
|
|||
All of the above (Arrogance Punished / The Scourge of hemorrhoid / I'm "fooqué"
hemorrhoid wrote:
Well, it took almost 20 years but it finally happened. It already happened a long time ago - you just didn't realize it. It's amazing what a small batch file can do. Couldn't have happened to a crustier hemorrhoid. Too bad you kill-file me. I could offer a solution, but you're too pig-headed to read it. P L E A S E H E L P! You're your own worst enemy. Go cry to MEB. Maybe he can help you. |
#4
|
|||
|
|||
Arrogance Punished -OR- The Scourge of thanatoid -OR- I'm "fooqué" (as they say in Montreal)... IOW... HELP!!!
thanatoid wrote: [snip] P L E A S E H E L P! Have you tried a new mouse and/or keyboard? Also, with the computer off, remove and reseat the mouse connector and the keyboard connector. Buffalo PS: Best of luck!! |
#5
|
|||
|
|||
Arrogance Punished -OR- The Scourge of thanatoid -OR- I'm "fooqué" (as they say in Montreal)... IOW... HELP!!!
On Wed, 28 Jul 2010 20:59:13 +0000 (UTC), thanatoid
wrote: Basically, it was like the left and right mouse buttons and Ctl and Alt keys were being randomly activated, FAST. [...] I should mention that the virus /appears/ inactive in DOS. Well, who knows - but nothing weird /seems/ to be happening AFAICT. [...] I tried Damn Small Linux again - this time it DID boot and ran in memory... Get ready for this... Sigh... DSL /appeared to exhibit/ - although to a CONSIDERABLY smaller degree - a little of the SAME behavior - a DOS-like window (whatever they're called in Linux) would highlight some lines of the window depending on mouse movement, and I /think/ a menu or two popped up without any clicking on my part. And the mouse appeared to be malfunctioning. [...] This may be a silly question (in view of some of the other strange phenomena you described in the parts that I snipped), but have you tried swapping the mouse for a different one? -- Angus Rodgers |
#6
|
|||
|
|||
Arrogance Punished -OR- The Scourge of thanatoid -OR- I'm "fooqué" (as they say in Montreal)... IOW... HELP!!!
On Wed, 28 Jul 2010 17:10:18 -0600, "Buffalo"
wrote: thanatoid wrote: [snip] P L E A S E H E L P! Have you tried a new mouse and/or keyboard? Also, with the computer off, remove and reseat the mouse connector and the keyboard connector. Buffalo PS: Best of luck!! (Oops, sorry, I didn't see this article in the listing - excuse my duplicate suggestion.) -- Angus Rodgers |
#7
|
|||
|
|||
Arrogance Punished -OR- The Scourge of thanatoid -OR- I'm "fooqué" (as they say in Montreal)... IOW... HELP!!!
On Wed, 28 Jul 2010 20:59:13 +0000 (UTC), thanatoid
wrote: (snip) P L E A S E H E L P! Several others are thinking along a similar vein, but I'll suggest it anyway. Are both the mouse and kb connected via the same port type (PS/2, USB, ...)? If so, a hardware issue (or BIOS support thereof) may be the underlying problem. Particularly if the support is not available under DOS. As another suggestion, do you have a spare mobo or box that you could throw the drive into? |
#8
|
|||
|
|||
Arrogance Punished -OR- The Scourge of thanatoid -OR- I'm "fooqué" (as they say in Montreal)... IOW... HELP!!!
"FromTheRafters" erratic @nomail.afraid.org wrote in
: Thanks for the reply. "thanatoid" wrote in message ... [...] Script sentry was on, but it does nothing with batch files, just scripts of all kinds. And it works great. ??? http://www.jasonstoolbox.com/scriptsentry.asp QUESTION 1. It could not have messed up the processor - first, I do not believe that is /possible/, second, DOS seems to run fine. That's not a question, it is a statement. You are correct, sir. Still, it can be confirmed or denied. QUESTION 2. AFAIK, the level1 and level2 caches clear upon a reboot, just like RAM does. I considered whether a batch file could alter properties of RAM and stay in it ANYWAY, but I do NOT believe that is possible. Also, there are NO RAM cleaning utilities on the Hiren's disk which would lead me to believe RAM is irrelevant as long as one reboots. Another statement. Ditto. QUESTION 3. Since I wiped the CMOS/BIOS (I still do NOT understand the difference between them, although some people have tried to explain to me), and have restored (a few times) and then /written/ a new MBR, PLUS restored a perfect Acronis C: image, I have NO idea where this damn thing is living. Hardware or firmware issue seems more likely especially after this *statement*. WHICH hardware could it be living in? Not the sound card... not the RAM... WHERE? What /exactly/ do you mean by firmware? If you mean BIOS, it was cleared several times, to no avail. -- You know, that viruses never really sleep And that hackers never blink their eyes And that, you know, cats are the only ones who blush And that the ****in' web... is just to die - thanatoid (with /profound/ apologies to Lou Reed) |
#9
|
|||
|
|||
All of the above (Arrogance Punished / The Scourge of hemorrhoid / I'm " fooqué"
98 Guy wrote in :
hemorrhoid wrote: Well, it took almost 20 years but it finally happened. It already happened a long time ago - you just didn't realize it. Hee hee... It's amazing what a small batch file can do. Couldn't have happened to a crustier hemorrhoid. That's 'crustier thanatoid'. Too bad you kill-file me. I could offer a solution, but you're too pig-headed to read it. Maybe. P L E A S E H E L P! You're your own worst enemy. You have NO idea how right you are. Go cry to MEB. Maybe he can help you. Well, I'll say one thing - you never disappoint ;-) But MEB has disappeared, since he refuses to use a free txt server for reasons he is unwilling to disclose. Thanks for the reply. -- You know, that viruses never really sleep And that hackers never blink their eyes And that, you know, cats are the only ones who blush And that the ****in' web... is just to die - thanatoid (with /profound/ apologies to Lou Reed) |
#10
|
|||
|
|||
Arrogance Punished -OR- The Scourge of thanatoid -OR- I'm "fooqué" (as they say in Montreal)... IOW... HELP!!!
"Buffalo" wrote in
: thanatoid wrote: [snip] P L E A S E H E L P! Have you tried a new mouse and/or keyboard? Also, with the computer off, remove and reseat the mouse connector and the keyboard connector. Thanks for the reply. I have both computers hooked up to a KVM switch - keyboard activated (scroll lock x2). Both - and the one monitor - work perfectly with this 166 Mhz machine. Buffalo PS: Best of luck!! Judging by the replies so far, I am CERTAINLY gonna need it ;-{ -- You know, that viruses never really sleep And that hackers never blink their eyes And that, you know, cats are the only ones who blush And that the ****in' web... is just to die - thanatoid (with /profound/ apologies to Lou Reed) |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Shutting off Keyboard Language Icon "EN" in systray "Internat.exe" | Dr. Dos | Disk Drives | 2 | July 11th 08 05:44 PM |
Networking Card 3Com "3C905B-TX": File "el90xbc5.sys" not found | MB[_2_] | Internet | 11 | August 10th 07 06:18 PM |
"Himem.sys fehlt", "Steuerung der A20-Leitung nicht möglich!!" - und dann nichts gewesen? | Alex Wenzel | General | 7 | March 8th 06 07:01 PM |
"Initial" Track on CD Rom Disk (Physical Stop or "Seek") | Brad | Disk Drives | 1 | February 28th 06 06:27 PM |
PDF File "NOT Valid win32 Application" for" My Documents" Double C | Dr. H.Mak | General | 12 | October 26th 05 07:50 PM |