Image Map Image Map
Page 1 of 4 1234 LastLast
Results 1 to 10 of 35

Thread: What to do about a persistent virus?

  1. #1
    Join Date
    Feb 2015
    Location
    Cleveland, OH, USA
    Posts
    888

    Default What to do about a persistent virus?

    I'll post this question elsewhere as it pertains to more recent hardware and OS than is germane to the VCF but I know there will be someone here who has an interest, and maybe even a suggestion for how to handle this problem: I have come to the conclusion that I have a BIOS infection on an ABIT KW7 (socket 7 Athlon) motherboard. Here's why: Every attempt I have made to install or update any anti-virus software or definitions update has been unsuccessful.

    The machine was built from components around 2005 but I replaced the motherboard a few years ago. I installed Windows XP Pro and ran the machine very little until recently when I hooked it up to make use of its FDDs. In the process I updated a few things, including the AVG anti-virus that had last been updated in 2015. That's when things started going sideways.

    The short version of the long story is that not only was I unable to update AVG, but no other anti-virus or anti-malware software has run successfully, either. I wiped the disk (booted Killdisk from a CD and rewrote with zeroes) and reinstalled XP; same story. Wiped again and installed WIN7 this time. All of the hundreds of updates from Microsoft installed successfully, except for the Defender anti-virus update.

    I downloaded the manual update of Defender definitions; it halted upon invocation. I tried running in safe mode; no success. Every attempt halted upon execution of the code.

    Finally I downloaded Windows Defender Offline, which is a bootable CD with executable and virus definitions on board. The computer, which has often booted from CD in the past, started reading the CD, posted a message "Cannot locate BOOT_MGR" and proceeded to boot from the HD once more.

    The only possibility I can think of now is that the BIOS itself (Award BIOS 6.00) is harboring code that intercepts BIOS calls and compares the file name to a list. My next move would be to re-flash the BIOS with an update, but if I do I will eradicate whatever is there without knowing what it was. At least, that's the way it seems to me.

    Anyone who has been through this and solved it or has a suggestion for what to try next, I'd welcome your input. Thanks!

    -CH-

  2. #2

    Default

    Try booting from a CD, e.g., a Windows installation disk, with the HD disconnected.
    PM me if you're looking for 3" or 5" floppy disks. EMail For everything else, Take Another Step

  3. #3
    Join Date
    Aug 2006
    Location
    Chicagoland, Illinois, USA
    Posts
    6,000
    Blog Entries
    1

    Default

    Quote Originally Posted by clh333 View Post
    The only possibility I can think of now is that the BIOS itself (Award BIOS 6.00) is harboring code that intercepts BIOS calls and compares the file name to a list. My next move would be to re-flash the BIOS with an update, but if I do I will eradicate whatever is there without knowing what it was. At least, that's the way it seems to me.
    That is extremely unlikely -- which is why I suggest you do it, so that you can quickly eliminate that as the source of your trouble.

    My gut feeling is that there is a component-level failure on the board, actually.
    Offering a bounty for:
    - The software "Overhead Express" (doesn't have to be original, can be a copy)
    - A working Sanyo MBC-775, Olivetti M24, or Logabax 1600
    - Music Construction Set, IBM Music Feature edition (has red sticker on front stating IBM Music Feature)

  4. #4
    Join Date
    Feb 2015
    Location
    Cleveland, OH, USA
    Posts
    888

    Default

    Quote Originally Posted by Trixter View Post
    That is extremely unlikely -- which is why I suggest you do it, so that you can quickly eliminate that as the source of your trouble.

    My gut feeling is that there is a component-level failure on the board, actually.
    Thanks for your suggestions. As lengthy as my OP was I left out or condensed several days of trial and error.

    My first suspect component was the Tenda wireless USB adapter. I have used them on several machines, but this one seemed to have slow throughput and once or twice I thought I saw an alien IP mentioned - not the usual 192.168.xx.xx. I removed the adapter, uninstalled the driver and utility and let Windows take over the connection. Unfortunately Windows could not furnish / find a driver so I had to reinstall the Tenda driver. After reinstall things worked well again, though.

    The machine has a second Abit board that I bought from a Craig's List poster. The fact that the first board failed could point to an internal fault, but what component would fail in such a way that only one class of program would fail on installation or invocation? Up to the point of the Defender Offline boot I had wiped and reloaded the OS twice (first a reinstall of XP, second a new install of Win7), run diagnostic utilities (Smith Micro Check-it latest version), and installed and de-installed several drivers and utilities, all without incident. Yet every time I would try to install or update an anti-virus or anti-malware program it would fail.

    The machine was a dual-boot machine with RH Fedora 21 on a separate HD. None of these problems occurred running Linux. (I have removed the Linux drive for now.)

    Under XP the usual error message would be a "division by zero, execution halted" type message. Later I also saw "Dr. Watson failed to start" or "Windows Explorer failed to start". After installing Win7 I went through a lengthy spate of Windows Updates (about 160 in all). The only one that was unsuccessful was Windows Defender antivirus definitions for 2/18. Tried three times, the third after all other updates had succeeded. An included update was to IE11, and the first time IE ran it offered a "tune-up" of Internet settings, including the installation of Windows Defender. Once again the update of definitions caused a halt to the install.

    The Windows Defender Offline CD was written on another Win7 machine that I am reasonably sure is clean. (I do not employ a home network; I do not employ file or printer sharing and each machine connects to a wireless router / cable modem - Netgear 8 DS 4 US - through WPA2-PSK.) The DVD drive in the Abit machine has been used to boot and / or install FreeDOS, Linux, MS-DOS 6.22, Killdisk, XP and Win7. As far as I can tell it is working well, and after the WDO boot failure on the Abit I tried the disk in the other Win7 machine, where it originated, and booted normally.

    Before I flash the BIOS I am going to try one other tactic: There is a Linux-based version of a self-booting anti-malware program that reportedly can scan the Windows drive from Linux. I'll try that first.

    Thanks again,

    -CH-

  5. #5

    Default

    Have you tested your RAM?

  6. #6
    Join Date
    Jan 2013
    Location
    Marietta, GA
    Posts
    3,238

    Default

    That is what I am thinking too. Give the board a test with memtest86, perhaps a CPU burn-in test with Prime95, and something to check the disk I/O. Most software will survive for a while when a few bits get flipped, but anti-virus programs are much more aggressive in their resource usage and (hopefully) have more internal integrity checks. Random crashes in Explorer or Dr. Watson also suggest something the specific applications.

  7. #7

    Default

    Quote Originally Posted by Stone View Post
    Try booting from a CD, e.g., a Windows installation disk, with the HD disconnected.
    Quote Originally Posted by clh333 View Post
    The machine was a dual-boot machine with RH Fedora 21 on a separate HD. None of these problems occurred running Linux. (I have removed the Linux drive for now.)
    Sure sounds like the Windows HD, itself is the culprit, here.

    Have you tried another HD for Windows or have you persisted with the same (possibly infected) drive over and over again?

    My money's on a Boot Sector problem or more specifically a Rootkit.

    Try DBAN.
    PM me if you're looking for 3" or 5" floppy disks. EMail For everything else, Take Another Step

  8. #8
    Join Date
    Feb 2015
    Location
    Cleveland, OH, USA
    Posts
    888

    Default

    I have spent the time since I last posted downloading live CD anti-virus applications (WDO, AVG, Dr.Web) and one Linux install, ClamAV. I reattached the Linux HD and disconnected the Win7 HD to perform the install of ClamAV, then rebooted and ran a scan of the Windows directory. The program found > 750 "potentially dangerous" programs, but without a way to delete en masse I gave up after deleting about 100 of them individually.

    After another power-down I detached the Linux drive, reattached the Win7 and booted from the AVG CD. The AVG live disk uses a flavor of Linux as its OS. It could see the HD but as its virus defs were from 2016 and as the OS could not get my WiFi connection established I gave up on that.

    I tries the WDO again and this time it booted - sorta. It went right into some investigation of the HD (DVD and HD lights flickered, but the screen was blank. Eventually I got the message in Pic 1 below. I cancelled the dialog and the program proceeded to display the Defender update screen, which I have seen before, telling me the defs were out of date (Pic 2). Now, I downloaded the defs along with the app yesterday so I don't know why it needed an update, but it tried and failed, again because no WiFi (Pic 3).

    My next attempt is with another live CD, this one from Dr.Web (whose web page is in English and Russian... I'm wondering about this one...) whose OS is another Linux flavor but at least has allowed me to connect to the router and download the current defs. I started it on a system-wide, find-everything scan just now. I'll check back after the Super Bowl.

    The app I used to wipe the disk is called Killdisk and I have used it successfully before: There was this one time I was involved in a lawsuit, and.. Well, that's another story. AFAIK it wipes everything. Here is their site: http://www.killdisk.com/ I may well have a rootkit but so far it's been my equal. My best guess was that the BIOS had been tweaked to intercept and replace the MBR address or the MBR had been redirected to load something before everything else. I'd love to find out how this thing works.

    Haven't ruled out hardware, though. Still trying to figure out what else to do to diagnose that.

    Thanks again for everyone's suggestions.

    -CH-

    Pics: 1.jpg 2.jpg 3.jpg

  9. #9

    Default

    This problem is not something Windows Defender can help you with. This is out of Defender's league.

    You really need to try another HD to verify that it's not a hardware (as in motherboard) issue.
    PM me if you're looking for 3" or 5" floppy disks. EMail For everything else, Take Another Step

  10. #10
    Join Date
    Aug 2006
    Location
    Chicagoland, Illinois, USA
    Posts
    6,000
    Blog Entries
    1

    Default

    Quote Originally Posted by clh333 View Post
    Haven't ruled out hardware, though. Still trying to figure out what else to do to diagnose that.
    Reflash your BIOS.
    Offering a bounty for:
    - The software "Overhead Express" (doesn't have to be original, can be a copy)
    - A working Sanyo MBC-775, Olivetti M24, or Logabax 1600
    - Music Construction Set, IBM Music Feature edition (has red sticker on front stating IBM Music Feature)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •