PDA

View Full Version : What to do about a persistent virus?



clh333
February 3rd, 2018, 08:58 AM
I'll post this question elsewhere as it pertains to more recent hardware and OS than is germane to the VCF but I know there will be someone here who has an interest, and maybe even a suggestion for how to handle this problem: I have come to the conclusion that I have a BIOS infection on an ABIT KW7 (socket 7 Athlon) motherboard. Here's why: Every attempt I have made to install or update any anti-virus software or definitions update has been unsuccessful.

The machine was built from components around 2005 but I replaced the motherboard a few years ago. I installed Windows XP Pro and ran the machine very little until recently when I hooked it up to make use of its FDDs. In the process I updated a few things, including the AVG anti-virus that had last been updated in 2015. That's when things started going sideways.

The short version of the long story is that not only was I unable to update AVG, but no other anti-virus or anti-malware software has run successfully, either. I wiped the disk (booted Killdisk from a CD and rewrote with zeroes) and reinstalled XP; same story. Wiped again and installed WIN7 this time. All of the hundreds of updates from Microsoft installed successfully, except for the Defender anti-virus update.

I downloaded the manual update of Defender definitions; it halted upon invocation. I tried running in safe mode; no success. Every attempt halted upon execution of the code.

Finally I downloaded Windows Defender Offline, which is a bootable CD with executable and virus definitions on board. The computer, which has often booted from CD in the past, started reading the CD, posted a message "Cannot locate BOOT_MGR" and proceeded to boot from the HD once more.

The only possibility I can think of now is that the BIOS itself (Award BIOS 6.00) is harboring code that intercepts BIOS calls and compares the file name to a list. My next move would be to re-flash the BIOS with an update, but if I do I will eradicate whatever is there without knowing what it was. At least, that's the way it seems to me.

Anyone who has been through this and solved it or has a suggestion for what to try next, I'd welcome your input. Thanks!

-CH-

Stone
February 3rd, 2018, 09:32 AM
Try booting from a CD, e.g., a Windows installation disk, with the HD disconnected.

Trixter
February 3rd, 2018, 11:48 AM
The only possibility I can think of now is that the BIOS itself (Award BIOS 6.00) is harboring code that intercepts BIOS calls and compares the file name to a list. My next move would be to re-flash the BIOS with an update, but if I do I will eradicate whatever is there without knowing what it was. At least, that's the way it seems to me.


That is extremely unlikely -- which is why I suggest you do it, so that you can quickly eliminate that as the source of your trouble.

My gut feeling is that there is a component-level failure on the board, actually.

clh333
February 4th, 2018, 03:27 AM
That is extremely unlikely -- which is why I suggest you do it, so that you can quickly eliminate that as the source of your trouble.

My gut feeling is that there is a component-level failure on the board, actually.

Thanks for your suggestions. As lengthy as my OP was I left out or condensed several days of trial and error.

My first suspect component was the Tenda wireless USB adapter. I have used them on several machines, but this one seemed to have slow throughput and once or twice I thought I saw an alien IP mentioned - not the usual 192.168.xx.xx. I removed the adapter, uninstalled the driver and utility and let Windows take over the connection. Unfortunately Windows could not furnish / find a driver so I had to reinstall the Tenda driver. After reinstall things worked well again, though.

The machine has a second Abit board that I bought from a Craig's List poster. The fact that the first board failed could point to an internal fault, but what component would fail in such a way that only one class of program would fail on installation or invocation? Up to the point of the Defender Offline boot I had wiped and reloaded the OS twice (first a reinstall of XP, second a new install of Win7), run diagnostic utilities (Smith Micro Check-it latest version), and installed and de-installed several drivers and utilities, all without incident. Yet every time I would try to install or update an anti-virus or anti-malware program it would fail.

The machine was a dual-boot machine with RH Fedora 21 on a separate HD. None of these problems occurred running Linux. (I have removed the Linux drive for now.)

Under XP the usual error message would be a "division by zero, execution halted" type message. Later I also saw "Dr. Watson failed to start" or "Windows Explorer failed to start". After installing Win7 I went through a lengthy spate of Windows Updates (about 160 in all). The only one that was unsuccessful was Windows Defender antivirus definitions for 2/18. Tried three times, the third after all other updates had succeeded. An included update was to IE11, and the first time IE ran it offered a "tune-up" of Internet settings, including the installation of Windows Defender. Once again the update of definitions caused a halt to the install.

The Windows Defender Offline CD was written on another Win7 machine that I am reasonably sure is clean. (I do not employ a home network; I do not employ file or printer sharing and each machine connects to a wireless router / cable modem - Netgear 8 DS 4 US - through WPA2-PSK.) The DVD drive in the Abit machine has been used to boot and / or install FreeDOS, Linux, MS-DOS 6.22, Killdisk, XP and Win7. As far as I can tell it is working well, and after the WDO boot failure on the Abit I tried the disk in the other Win7 machine, where it originated, and booted normally.

Before I flash the BIOS I am going to try one other tactic: There is a Linux-based version of a self-booting anti-malware program that reportedly can scan the Windows drive from Linux. I'll try that first.

Thanks again,

-CH-

KC9UDX
February 4th, 2018, 06:54 AM
Have you tested your RAM?

SomeGuy
February 4th, 2018, 07:41 AM
That is what I am thinking too. Give the board a test with memtest86, perhaps a CPU burn-in test with Prime95, and something to check the disk I/O. Most software will survive for a while when a few bits get flipped, but anti-virus programs are much more aggressive in their resource usage and (hopefully) have more internal integrity checks. Random crashes in Explorer or Dr. Watson also suggest something the specific applications.

Stone
February 4th, 2018, 07:45 AM
Try booting from a CD, e.g., a Windows installation disk, with the HD disconnected.
The machine was a dual-boot machine with RH Fedora 21 on a separate HD. None of these problems occurred running Linux. (I have removed the Linux drive for now.)
Sure sounds like the Windows HD, itself is the culprit, here. :-)

Have you tried another HD for Windows or have you persisted with the same (possibly infected) drive over and over again?

My money's on a Boot Sector problem or more specifically a Rootkit.

Try DBAN.

clh333
February 4th, 2018, 10:25 AM
I have spent the time since I last posted downloading live CD anti-virus applications (WDO, AVG, Dr.Web) and one Linux install, ClamAV. I reattached the Linux HD and disconnected the Win7 HD to perform the install of ClamAV, then rebooted and ran a scan of the Windows directory. The program found > 750 "potentially dangerous" programs, but without a way to delete en masse I gave up after deleting about 100 of them individually.

After another power-down I detached the Linux drive, reattached the Win7 and booted from the AVG CD. The AVG live disk uses a flavor of Linux as its OS. It could see the HD but as its virus defs were from 2016 and as the OS could not get my WiFi connection established I gave up on that.

I tries the WDO again and this time it booted - sorta. It went right into some investigation of the HD (DVD and HD lights flickered, but the screen was blank. Eventually I got the message in Pic 1 below. I cancelled the dialog and the program proceeded to display the Defender update screen, which I have seen before, telling me the defs were out of date (Pic 2). Now, I downloaded the defs along with the app yesterday so I don't know why it needed an update, but it tried and failed, again because no WiFi (Pic 3).

My next attempt is with another live CD, this one from Dr.Web (whose web page is in English and Russian... I'm wondering about this one...) whose OS is another Linux flavor but at least has allowed me to connect to the router and download the current defs. I started it on a system-wide, find-everything scan just now. I'll check back after the Super Bowl.

The app I used to wipe the disk is called Killdisk and I have used it successfully before: There was this one time I was involved in a lawsuit, and.. Well, that's another story. AFAIK it wipes everything. Here is their site: http://www.killdisk.com/ I may well have a rootkit but so far it's been my equal. My best guess was that the BIOS had been tweaked to intercept and replace the MBR address or the MBR had been redirected to load something before everything else. I'd love to find out how this thing works.

Haven't ruled out hardware, though. Still trying to figure out what else to do to diagnose that.

Thanks again for everyone's suggestions.

-CH-

Pics: 43478 43479 43480

Stone
February 4th, 2018, 11:06 AM
This problem is not something Windows Defender can help you with. This is out of Defender's league.

You really need to try another HD to verify that it's not a hardware (as in motherboard) issue.

Trixter
February 4th, 2018, 11:56 AM
Haven't ruled out hardware, though. Still trying to figure out what else to do to diagnose that.

Reflash your BIOS.

clh333
February 5th, 2018, 04:13 AM
Ran the live-boot CD AV and scanned everything: nothing found. Removed all cards except video and uninstalled / replaced the Tenda adapter with another (Netis WF-2109) brand. Re-ran WD defs update, failed (pic below), then downloaded manual update of defs, failed as soon as invoked (pic below).

I will re-flash the BIOS next and if that doesn't solve the problem I will switch HDs to one that has never been attached to this machine.

Thanks again for all your suggestions.

-CH-

43502 43503

Stone
February 5th, 2018, 04:24 AM
I will re-flash the BIOS next and if that doesn't solve the problem I will switch HDs to one that has never been attached to this machine.Based on system priorities, I would perform these two functions in the reverse order.

clh333
February 5th, 2018, 06:44 AM
Based on system priorities, I would perform these two functions in the reverse order.

Looks like I will have to do that anyway: I am unable to flash the BIOS.

First problem is that the manufacturer, Abit, a Taiwanese company, is out of business. Their web site has been archived but my board and BIOS are not listed. I located and downloaded drivers, supposedly for my board, from third-party sites and attempted to update the BIOS, but ran into an "Insufficient memory" error (pic below).

The procedure I followed was to download the .exe file on this Win7 machine and transfer the .exe (about 256k) to a 1.4 Mb FD which had been pre-formatted on a DOS machine. I started the Abit from the FreeDOS v.1 live CD and booted to an A: prompt. With my 1.4 FD in place I switched to B: where I extracted the archived files, a couple of BAT files, the .BIN file, the flash executable and a readme file. Following the readme I ran the "RUNME.bat" file which executed but finished with the "insufficient memory" message (pic below).

I have the Abit Drivers CD that came with the original board. In a folder there is the original Award flash utility, but no BIOS image. I tried that utility with the same results.

Pictured below is the BIOS chip and the system info highlighting the BIOS version. I'm not sure whether I have the wrong version of the BIOS update (I tried V15 and V11 for the KW7). It may be that the later versions were for a larger BIOS IC. Alternately I may be following the wrong procedure. A third possibility is that the .BIN file, which appears to be compressed, can not be extracted on the floppy.

So after all of this I guess I try another drive.

Thanks again,

-CH-

43508 43504 43509

Stone
February 5th, 2018, 07:14 AM
Here's my overall opinion in a nutshell:

1) You can't hurt your machine by switching the HD. Additionally, you might even learn something. :-)

2) You can surely brick it by screwing around with the BIOS, especially if that's not something you are very familiar with.

SomeGuy
February 5th, 2018, 07:16 AM
If you have not already done so, RUN MEMTEST! Flashing a BIOS while you have faulty RAM can result in an unbootable system!

How much memory does Freedos report as available? I am not familiar with their live CD, but it probably loads extra drivers that may eat up memory. Does it have an option for a minimal boot? That is odd, as Freedos almost lives for BIOS flashing.

How about instead just hunting down a normal MS-DOS 6.x or Win9x 1.44m boot floppy, open it in WinImage, delete all files except IO.SYS, MSDOS.SYS, COMMAND.COM and HIMEM.SYS. Create a CONFIG.SYS text file with just the line "DEVICE=HIMEM.SYS", then copy in your BIOS flash tools. Write that image to a floppy and boot from it. If it does the same thing then there is something horribly wrong with that board.

Stone
February 5th, 2018, 08:11 AM
...Flashing a BIOS while you have faulty RAM can result in an unbootable system!...That's one way and there are many others.

clh333
February 6th, 2018, 04:24 AM
1) You can't hurt your machine by switching the HD. Additionally, you might even learn something. :-)

It's all about learning something. I don't need the machine; I just want to find out what's going on. That's why I'm grateful for others' input.


2) You can surely brick it by screwing around with the BIOS, especially if that's not something you are very familiar with.

Always a risk, and wouldn't be the first time I've rendered something useless. But I do have the original board with the identical BIOS and presumably can fall back on that.

-CH-

clh333
February 6th, 2018, 04:55 AM
RUN MEMTEST!

Will do.


How much memory does Freedos report as available? I am not familiar with their live CD, but it probably loads extra drivers that may eat up memory. Does it have an option for a minimal boot? That is odd, as Freedos almost lives for BIOS flashing.

The Award BIOS reports 3 Gb (3144704) as a result of a memory test on boot. FreeDOS' 1.0 MEM command reports 3144280k total memory, divided as follows: 634k conventional, 48k upper, reserved 342k, extended 3,143,256k, with FreeDos resident in high memory. A screen shot is shown below. I have five options when the live CD boots, one of which is to install to the HD, one to run from the CD with drivers for extended / expanded memory and another one is to run from the CD with no drivers installed at all.


How about instead just hunting down a normal MS-DOS 6.x or Win9x 1.44m boot floppy, open it in WinImage, delete all files except IO.SYS, MSDOS.SYS, COMMAND.COM and HIMEM.SYS. Create a CONFIG.SYS text file with just the line "DEVICE=HIMEM.SYS", then copy in your BIOS flash tools. Write that image to a floppy and boot from it. If it does the same thing then there is something horribly wrong with that board.

I will try that and let you know what happens. Thanks for your suggestions.

-CH-

43527 43528

glitch
February 6th, 2018, 05:25 AM
As others have said, I'd suspect bad RAM is way more likely than a BIOS-resident virus. My vote is also for memtest86+ :)

clh333
February 6th, 2018, 06:40 AM
One pass through memtest86, no errors:

43530

-CH-

clh333
February 6th, 2018, 07:50 AM
Succeeded in re-flashing the BIOS, using SomeGuy's suggestion of a bootable floppy. Found this article on the topic as well: https://forums.techguy.org/threads/insufficient-memory-when-trying-to-flash-bios.34862/. I created the config.sys with the suggested "device=himem.sys" line in it. When I was using FreeDos I was booting it "clean", i.e. with nothing resident, as the txt file with the update suggested, and that may have caused the insufficient memory error.

Anyway, I flashed KW7 version 11, which had a date of 2004, and then version 15, which had the same date as the one I replaced. I am confident the existing BIOS has been replaced.

I do not have another SATA drive similar to the 150 Gb Samsung that I was using for Windows. The Linux drive is a WD of about the same size but I don't want to sacrifice that. I do have another similar machine, an IBM ThinkCentre, with a SATA drive that has WinXP loaded already. I could put that into the Abit and perhaps quickly confirm or disprove the hardware question, but if I were to infect that drive as well then I would regret the choice.

I think I'm going to have to find another SATA drive... More to come.

Thanks again to all who offered suggestions.

-CH-

Stone
February 6th, 2018, 08:27 AM
No need for a SATA drive -- A plain old IDE drive will do just fine for test purposes. :-)

KC9UDX
February 6th, 2018, 01:36 PM
You may want to see if the problem persists already. It would be nice to know which fix solved the problem.

SomeGuy
February 6th, 2018, 03:14 PM
That is odd, with those kinds of errors I really would have expected a bad memory failure.

I'd still suggest running Prime95 as a CPU test.

Can someone recommend a good reliability tester for modern-ish hard drives? I've run in to my fair share of intermittent flaky IDE communications over the years - very hard to diagnose some times. (Usually the darn cables).

I don't believe that it is applicable to the KW7, but the KT7A had some issues with PCI latency that could cause random intermittent crashes under Windows XP or 7. If these problems persist, you might go in to the BIOS setup and disable various advanced CPU/PCI options and see if that makes any difference.

clh333
February 7th, 2018, 05:28 AM
You may want to see if the problem persists already. It would be nice to know which fix solved the problem.

It's tempting to mount the Samsung drive and see if things are "fixed" but I'll do that after trying a fresh install on another drive first. I have an IDE that I am preparing for use.

-CH-

clh333
February 7th, 2018, 05:32 AM
I'd still suggest running Prime95 as a CPU test.

I'll try that today before reinstalling Windows.


I don't believe that it is applicable to the KW7, but the KT7A had some issues with PCI latency that could cause random intermittent crashes under Windows XP or 7. If these problems persist, you might go in to the BIOS setup and disable various advanced CPU/PCI options and see if that makes any difference.

The BIOS update caused a reset to "default" settings both times. Not sure whether that means "advanced" were disabled, but I could load "safe" settings instead. As above, I'll do that before reinstall.

-CH-

clh333
February 7th, 2018, 01:41 PM
I removed all the SATA drives and installed an IDE drive of about 150 Gb size. Immediately checked BIOS to see that it was being recognized as CH1 Master, then saved config and booted to the FreeDos Live CD. From there I ran FDISK and made one active DOS partition out of the drive. Then I ran Format /U to launch the FreeDos format, which took at least four hours to complete. Internet connectivity was disabled.

When done I retrieved a different XP Pro installation disk, one I had not used to install on this machine before, and performed a fresh install of XP Pro, SP2. I allowed Windows to change the format from FAT32, which FreeDos had used, to NTFS. Install was successful, but there was no Internet access. Next I performed the SP3 update, also successful.

By means of a USB drive, which this Win7 machine has examined and pronounced clean, I transferred the setup files for Avast Free. I had searched specifically for XP compatibility and decided on this. I had been using AVG but had experienced trouble with it recently so took another tack. As soon as I invoked it I encountered an error (pic below). I thought MAYBE it was because it wanted to update its definition files first thing so I installed the Netis driver and utility and established Internet connectivity. Then I tried the installation of Avast again, with the same result. Third try under safe mode, same results.

All in all I tried installing about six anti-malware packages. The only ones that installed successfully were versions that, after installation, announced they were unusable with WinXP, with two exceptions: MalwareBytes failed with a floating-point error message whe I tried to install v.3.x but installed 2.x and then attempted an update, and announced that there was a newer version. When I okayed downloading the newer version it halted with an error. The "old" version ran, but did not find anything. Another program, which I ran under safe mode as well, ran from a command prompt and announced it had found and eliminated UNREGMP2.exe in the registry and in with win32 folder, but deleting this did not resolve the installation issue.

Those programs that failed to install left one of two error messages. See below for examples.

So far I'm 0-for-ever.

-CH-

43567 43568 43569 43570 43571 43572

Trixter
February 7th, 2018, 03:44 PM
there was no Internet access. Next I performed the SP3 update

How did you perform the update without internet access? In other words: Are you sure your SP3 update isn't corrupted? Are you sure the XP you're installing isn't corrupted? Have you installed both on another computer to ensure they're fine?

If you run the TDSS tool again, post what the report contains (just the screenshot is unhelpful).

clh333
February 8th, 2018, 02:28 AM
The XP installation media was in the form of CDs. XP was OEM issue (came with the refurbished IBM ThinkCentre that was purchased from MicroCenter 4 or 5 years ago), SP3 was downloaded 6-7 years ago. Both had been installed elsewhere before but I will check them to see if they are corrupt; thank you for the suggestion.

I will re-run the TDSS tool and retrieve the error report.

-CH-

clh333
February 8th, 2018, 04:19 AM
How did you perform the update without internet access? In other words: Are you sure your SP3 update isn't corrupted? Are you sure the XP you're installing isn't corrupted? Have you installed both on another computer to ensure they're fine?

If you run the TDSS tool again, post what the report contains (just the screenshot is unhelpful).

Neither the XP or SP3 install disk reported any problems when scanned with AVG and MalwareBytes on this Win7 machine.

I ran the Kaspersky again on the XP machine, and as before I got an exception as soon as it was invoked. I noted that it was creating a report file in the Locals/Temp directory so I looked to see what was there. Apparently when the exception occurs two files are created; a .TXT file and a .DMP file. As soon as I closed the exception dialog both were deleted, although there were other similar files from yesterday that persisted.

I was able to make a copy of the .txt file but could not access the .dmp file to view or copy its contents. The .txt file is attached as are screen shots of the exception report, which appears to be much more detailed than the .txt file indicates, and a before and after view of the TEMP folder contents.

-CH-

43629 43630 43631

A portion of the TXT file:

<?xml version="1.0" encoding="UTF-16"?>
<DATABASE>
<EXE NAME="tdsskiller.exe" FILTER="GRABMI_FILTER_PRIVACY">
<MATCHING_FILE NAME="EmsisoftEmergencyKit.exe" SIZE="309745960" CHECKSUM="0xDCCBD3A5" MODULE_TYPE="WIN32" PE_CHECKSUM="0x12768C55" LINKER_VERSION="0x0" LINK_DATE="02/03/2016 19:38:25" UPTO_LINK_DATE="02/03/2016 19:38:25" />
<MATCHING_FILE NAME="ERARemover_x64.exe" SIZE="2991832" CHECKSUM="0xE1F0F162" BIN_FILE_VERSION="1.0.4.1" BIN_PRODUCT_VERSION="1.0.4.1" PRODUCT_VERSION="1.0.4.1" FILE_DESCRIPTION="ESET Rogue Applications Remover" COMPANY_NAME="ESET" PRODUCT_NAME="ESET Rogue Applications Remover" FILE_VERSION="1.0.4.1" ORIGINAL_FILENAME="ERARemover.exe" INTERNAL_NAME="ERARemover" LEGAL_COPYRIGHT="Copyright (c) ESET, spol. s r.o. 1992-2012. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x2DE2DD" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="1.0.4.1" UPTO_BIN_PRODUCT_VERSION="1.0.4.1" LINK_DATE="10/10/2012 09:37:06" UPTO_LINK_DATE="10/10/2012 09:37:06" VER_LANGUAGE="English (United States) [0x409]" />
<MATCHING_FILE NAME="ERARemover_x86.exe" SIZE="2273880" CHECKSUM="0xE741E97B" BIN_FILE_VERSION="1.0.4.1" BIN_PRODUCT_VERSION="1.0.4.1" PRODUCT_VERSION="1.0.4.1" FILE_DESCRIPTION="ESET Rogue Applications Remover" COMPANY_NAME="ESET" PRODUCT_NAME="ESET Rogue Applications Remover" FILE_VERSION="1.0.4.1" ORIGINAL_FILENAME="ERARemover.exe" INTERNAL_NAME="ERARemover" LEGAL_COPYRIGHT="Copyright (c) ESET, spol. s r.o. 1992-2012. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x232DFD" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="1.0.4.1" UPTO_BIN_PRODUCT_VERSION="1.0.4.1" LINK_DATE="10/10/2012 09:34:49" UPTO_LINK_DATE="10/10/2012 09:34:49" VER_LANGUAGE="English (United States) [0x409]" />
<MATCHING_FILE NAME="mb3-setup-consumer-3.3.1.2183-1.0.262-1.0.3374.exe" SIZE="83316440" CHECKSUM="0x1CD368B1" BIN_FILE_VERSION="3.3.1.2183" BIN_PRODUCT_VERSION="3.3.1.2183" PRODUCT_VERSION="3.3.1.2183 " FILE_DESCRIPTION="Malwarebytes " COMPANY_NAME="Malwarebytes " PRODUCT_NAME="Malwarebytes " FILE_VERSION="3.3.1.2183 " LEGAL_COPYRIGHT=" 2017 Malwarebytes. All Rights Reserved. " VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x4F81040" LINKER_VERSION="0x60000" UPTO_BIN_FILE_VERSION="3.3.1.2183" UPTO_BIN_PRODUCT_VERSION="3.3.1.2183" LINK_DATE="01/15/2016 08:22:50" UPTO_LINK_DATE="01/15/2016 08:22:50" VER_LANGUAGE="Language Neutral [0x0]" />
<MATCHING_FILE NAME="mbam-setup-2.0.3.1025.exe" SIZE="19828376" CHECKSUM="0xDE4AFC41" BIN_FILE_VERSION="2.0.3.1025" BIN_PRODUCT_VERSION="2.0.3.1025" PRODUCT_VERSION="2.0.3.1025 " FILE_DESCRIPTION="Malwarebytes Anti-Malware " COMPANY_NAME="Malwarebytes Corporation " PRODUCT_NAME="Malwarebytes Anti-Malware " FILE_VERSION="2.0.3.1025 " LEGAL_COPYRIGHT="(c) Malwarebytes Corporation. All rights reserved. " VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x12F38C5" LINKER_VERSION="0x60000" UPTO_BIN_FILE_VERSION="2.0.3.1025" UPTO_BIN_PRODUCT_VERSION="2.0.3.1025" LINK_DATE="06/19/1992 22:22:17" UPTO_LINK_DATE="06/19/1992 22:22:17" VER_LANGUAGE="Language Neutral [0x0]" />

Krille
February 8th, 2018, 09:21 AM
You've got a hardware problem. It might seem to be related to your AV software but that's likely only because it is the first kind of software you install that really taxes the system. I imagine you'll get the same result if installing and running a game with sufficiently high system requirements.


One pass through memtest86, no errors:

43530

-CH-

One pass is not enough. Let it run overnight. I once reduced the CAS latency on a system of mine and memtest86 found no errors (even after several passes, IIRC). Happy as a clam over my apparently successful little "overclock", I proceeded to boot Windows and run Battlefield 2. After playing for a while (half an hour maybe?) I was disconnected from the server because I had failed the integrity check internal to BF2. In other words, the RAM contents was corrupt.

The CAS latency went back up and I was sad that BF2 was back to its regular, somewhat laggy, self. At the same time I was grateful that I had not caused any file system corruption. Anyway, the point is that you might need to run memtest86 for a long time before errors are found. The same goes for Prime95, which you still haven't run, it seems. Reinstalling Windows and AV software over and over again isn't going to change anything.

Also, if you haven't already done so, I would recommend doing a visual inspection of the motherboard to look for bulging or leaking capacitors. After all, this board is straight out from the bad caps era.

Stone
February 8th, 2018, 09:44 AM
You've got a hardware problem.

...Also, if you haven't already done so, I would recommend doing a visual inspection of the motherboard to look for bulging or leaking capacitors. After all, this board is straight out from the bad caps era.I'm inclined to agree with you.

Problem is... a visual inspection of the caps can only be fruitful if there is actually visual evidence and more often than not there isn't any.

Additionally, correct, thorough checking of caps can be a Royal Pita and this is true even if you have the correct equipment.

Trixter
February 8th, 2018, 10:36 AM
an ABIT KW7 (socket 7 Athlon) motherboard

That's a socket A motherboard, not socket 7. Exactly what CPU do you have installed? (This is relevant because one of the errors you posted is a CPU invalid opcode error -- I'm wondering if the CPU is being detected as something it isn't, leading these programs to try to execute instructions that are invalid)

Also, run prime95 as people have suggested. It should survive at least 10 minutes on full burn.

lowen
February 9th, 2018, 06:27 AM
For what it's worth, there is at least a proof-of-concept hard disk firmware rootkit for XP out in the wild; see: https://hackaday.com/2015/06/08/hard-drive-rootkit-is-frighteningly-persistent/. While that is probably not the case here, it is a possibility.

clh333
February 9th, 2018, 08:45 AM
You've got a hardware problem. ... One pass is not enough. Let it run overnight.

Also, if you haven't already done so, I would recommend doing a visual inspection of the motherboard to look for bulging or leaking capacitors. After all, this board is straight out from the bad caps era.

The machine has been on for 24 hours. At 2 PM yesterday I started the Memtest program. I let it run until 6 AM today; 16 hours. There were no errors reported.

Immediately after stopping Memtest I started the processor "torture test", which ran from 6:04 AM until 12:04 PM, i. e. six hours. Again, there were no errors reported.

The machine has a 500W power supply and four fans, including a Gigabyte tower on the AMD Athlon 3000+ processor. (Socket A, as Trixter points out. My bad.) RAM is Corsair, purchased from Newegg, highly rated by other users, although of course that's no guarantee. But it's not overclocked at all. See pics below for stats.

I am aware that the board is from the era and the region that had problems with capacitors. I've had problems with those capacitors before, not only on motherboards but in Sony and Toshiba TVs, for example. But the motherboard problems I have experienced have been more along the lines of intermittent crashes shortly after boot, not selectively denying the execution of a certain class of program. In any case, the board is clean, it's in a tower, nobody has nested in there and the caps all have nice flat domes, no puddles under them or tilts in their kilts. And there must be 40 or more electrolytics that would have to be replaced; not for the faint of heart. PITA, as Stone observes, and I don't have the equipment for in-situ testing.

Thanks to all for their suggestions.

-CH-

43666 43667