What to do about a persistent virus?

[clh333]

Succeeded in re-flashing the BIOS, using SomeGuy's suggestion of a bootable floppy. Found this article on the topic as well: https://forums.techguy.org/threads/insufficient-memory-when-trying-to-flash-bios.34862/. I created the config.sys with the suggested "device=himem.sys" line in it. When I was using FreeDos I was booting it "clean", i.e. with nothing resident, as the txt file with the update suggested, and that may have caused the insufficient memory error.

Anyway, I flashed KW7 version 11, which had a date of 2004, and then version 15, which had the same date as the one I replaced. I am confident the existing BIOS has been replaced.

I do not have another SATA drive similar to the 150 Gb Samsung that I was using for Windows. The Linux drive is a WD of about the same size but I don't want to sacrifice that. I do have another similar machine, an IBM ThinkCentre, with a SATA drive that has WinXP loaded already. I could put that into the Abit and perhaps quickly confirm or disprove the hardware question, but if I were to infect that drive as well then I would regret the choice.

I think I'm going to have to find another SATA drive... More to come.

Thanks again to all who offered suggestions.

-CH-

 

[Stone]

No need for a SATA drive -- A plain old IDE drive will do just fine for test purposes.

 

[KC9UDX]

You may want to see if the problem persists already. It would be nice to know which fix solved the problem.

 

[SomeGuy]

That is odd, with those kinds of errors I really would have expected a bad memory failure.

I'd still suggest running Prime95 as a CPU test.

Can someone recommend a good reliability tester for modern-ish hard drives? I've run in to my fair share of intermittent flaky IDE communications over the years - very hard to diagnose some times. (Usually the darn cables).

I don't believe that it is applicable to the KW7, but the KT7A had some issues with PCI latency that could cause random intermittent crashes under Windows XP or 7. If these problems persist, you might go in to the BIOS setup and disable various advanced CPU/PCI options and see if that makes any difference.

 

[clh333]

You may want to see if the problem persists already. It would be nice to know which fix solved the problem.

It's tempting to mount the Samsung drive and see if things are "fixed" but I'll do that after trying a fresh install on another drive first. I have an IDE that I am preparing for use.

-CH-

 

[clh333]

I'd still suggest running Prime95 as a CPU test.

I'll try that today before reinstalling Windows.

I don't believe that it is applicable to the KW7, but the KT7A had some issues with PCI latency that could cause random intermittent crashes under Windows XP or 7. If these problems persist, you might go in to the BIOS setup and disable various advanced CPU/PCI options and see if that makes any difference.

The BIOS update caused a reset to "default" settings both times. Not sure whether that means "advanced" were disabled, but I could load "safe" settings instead. As above, I'll do that before reinstall.

-CH-

 

[clh333]

I removed all the SATA drives and installed an IDE drive of about 150 Gb size. Immediately checked BIOS to see that it was being recognized as CH1 Master, then saved config and booted to the FreeDos Live CD. From there I ran FDISK and made one active DOS partition out of the drive. Then I ran Format /U to launch the FreeDos format, which took at least four hours to complete. Internet connectivity was disabled.

When done I retrieved a different XP Pro installation disk, one I had not used to install on this machine before, and performed a fresh install of XP Pro, SP2. I allowed Windows to change the format from FAT32, which FreeDos had used, to NTFS. Install was successful, but there was no Internet access. Next I performed the SP3 update, also successful.

By means of a USB drive, which this Win7 machine has examined and pronounced clean, I transferred the setup files for Avast Free. I had searched specifically for XP compatibility and decided on this. I had been using AVG but had experienced trouble with it recently so took another tack. As soon as I invoked it I encountered an error (pic below). I thought MAYBE it was because it wanted to update its definition files first thing so I installed the Netis driver and utility and established Internet connectivity. Then I tried the installation of Avast again, with the same result. Third try under safe mode, same results.

All in all I tried installing about six anti-malware packages. The only ones that installed successfully were versions that, after installation, announced they were unusable with WinXP, with two exceptions: MalwareBytes failed with a floating-point error message whe I tried to install v.3.x but installed 2.x and then attempted an update, and announced that there was a newer version. When I okayed downloading the newer version it halted with an error. The "old" version ran, but did not find anything. Another program, which I ran under safe mode as well, ran from a command prompt and announced it had found and eliminated UNREGMP2.exe in the registry and in with win32 folder, but deleting this did not resolve the installation issue.

Those programs that failed to install left one of two error messages. See below for examples.

So far I'm 0-for-ever.

-CH-

 

[Trixter]

there was no Internet access. Next I performed the SP3 update

How did you perform the update without internet access? In other words: Are you sure your SP3 update isn't corrupted? Are you sure the XP you're installing isn't corrupted? Have you installed both on another computer to ensure they're fine?

If you run the TDSS tool again, post what the report contains (just the screenshot is unhelpful).

 

[clh333]

The XP installation media was in the form of CDs. XP was OEM issue (came with the refurbished IBM ThinkCentre that was purchased from MicroCenter 4 or 5 years ago), SP3 was downloaded 6-7 years ago. Both had been installed elsewhere before but I will check them to see if they are corrupt; thank you for the suggestion.

I will re-run the TDSS tool and retrieve the error report.

-CH-

 

[clh333]

How did you perform the update without internet access? In other words: Are you sure your SP3 update isn't corrupted? Are you sure the XP you're installing isn't corrupted? Have you installed both on another computer to ensure they're fine?

If you run the TDSS tool again, post what the report contains (just the screenshot is unhelpful).

Neither the XP or SP3 install disk reported any problems when scanned with AVG and MalwareBytes on this Win7 machine.

I ran the Kaspersky again on the XP machine, and as before I got an exception as soon as it was invoked. I noted that it was creating a report file in the Locals/Temp directory so I looked to see what was there. Apparently when the exception occurs two files are created; a .TXT file and a .DMP file. As soon as I closed the exception dialog both were deleted, although there were other similar files from yesterday that persisted.

I was able to make a copy of the .txt file but could not access the .dmp file to view or copy its contents. The .txt file is attached as are screen shots of the exception report, which appears to be much more detailed than the .txt file indicates, and a before and after view of the TEMP folder contents.

-CH-



A portion of the TXT file:

<?xml version="1.0" encoding="UTF-16"?>
<DATABASE>
<EXE NAME="tdsskiller.exe" FILTER="GRABMI_FILTER_PRIVACY">
<MATCHING_FILE NAME="EmsisoftEmergencyKit.exe" SIZE="309745960" CHECKSUM="0xDCCBD3A5" MODULE_TYPE="WIN32" PE_CHECKSUM="0x12768C55" LINKER_VERSION="0x0" LINK_DATE="02/03/2016 19:38:25" UPTO_LINK_DATE="02/03/2016 19:38:25" />
<MATCHING_FILE NAME="ERARemover_x64.exe" SIZE="2991832" CHECKSUM="0xE1F0F162" BIN_FILE_VERSION="1.0.4.1" BIN_PRODUCT_VERSION="1.0.4.1" PRODUCT_VERSION="1.0.4.1" FILE_DESCRIPTION="ESET Rogue Applications Remover" COMPANY_NAME="ESET" PRODUCT_NAME="ESET Rogue Applications Remover" FILE_VERSION="1.0.4.1" ORIGINAL_FILENAME="ERARemover.exe" INTERNAL_NAME="ERARemover" LEGAL_COPYRIGHT="Copyright (c) ESET, spol. s r.o. 1992-2012. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x2DE2DD" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="1.0.4.1" UPTO_BIN_PRODUCT_VERSION="1.0.4.1" LINK_DATE="10/10/2012 09:37:06" UPTO_LINK_DATE="10/10/2012 09:37:06" VER_LANGUAGE="English (United States) [0x409]" />
<MATCHING_FILE NAME="ERARemover_x86.exe" SIZE="2273880" CHECKSUM="0xE741E97B" BIN_FILE_VERSION="1.0.4.1" BIN_PRODUCT_VERSION="1.0.4.1" PRODUCT_VERSION="1.0.4.1" FILE_DESCRIPTION="ESET Rogue Applications Remover" COMPANY_NAME="ESET" PRODUCT_NAME="ESET Rogue Applications Remover" FILE_VERSION="1.0.4.1" ORIGINAL_FILENAME="ERARemover.exe" INTERNAL_NAME="ERARemover" LEGAL_COPYRIGHT="Copyright (c) ESET, spol. s r.o. 1992-2012. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x232DFD" LINKER_VERSION="0x0" UPTO_BIN_FILE_VERSION="1.0.4.1" UPTO_BIN_PRODUCT_VERSION="1.0.4.1" LINK_DATE="10/10/2012 09:34:49" UPTO_LINK_DATE="10/10/2012 09:34:49" VER_LANGUAGE="English (United States) [0x409]" />
<MATCHING_FILE NAME="mb3-setup-consumer-3.3.1.2183-1.0.262-1.0.3374.exe" SIZE="83316440" CHECKSUM="0x1CD368B1" BIN_FILE_VERSION="3.3.1.2183" BIN_PRODUCT_VERSION="3.3.1.2183" PRODUCT_VERSION="3.3.1.2183 " FILE_DESCRIPTION="Malwarebytes " COMPANY_NAME="Malwarebytes " PRODUCT_NAME="Malwarebytes " FILE_VERSION="3.3.1.2183 " LEGAL_COPYRIGHT="© 2017 Malwarebytes. All Rights Reserved. " VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x4F81040" LINKER_VERSION="0x60000" UPTO_BIN_FILE_VERSION="3.3.1.2183" UPTO_BIN_PRODUCT_VERSION="3.3.1.2183" LINK_DATE="01/15/2016 08:22:50" UPTO_LINK_DATE="01/15/2016 08:22:50" VER_LANGUAGE="Language Neutral [0x0]" />
<MATCHING_FILE NAME="mbam-setup-2.0.3.1025.exe" SIZE="19828376" CHECKSUM="0xDE4AFC41" BIN_FILE_VERSION="2.0.3.1025" BIN_PRODUCT_VERSION="2.0.3.1025" PRODUCT_VERSION="2.0.3.1025 " FILE_DESCRIPTION="Malwarebytes Anti-Malware " COMPANY_NAME="Malwarebytes Corporation " PRODUCT_NAME="Malwarebytes Anti-Malware " FILE_VERSION="2.0.3.1025 " LEGAL_COPYRIGHT="(c) Malwarebytes Corporation. All rights reserved. " VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x4" VERFILETYPE="0x1" MODULE_TYPE="WIN32" PE_CHECKSUM="0x12F38C5" LINKER_VERSION="0x60000" UPTO_BIN_FILE_VERSION="2.0.3.1025" UPTO_BIN_PRODUCT_VERSION="2.0.3.1025" LINK_DATE="06/19/1992 22:22:17" UPTO_LINK_DATE="06/19/1992 22:22:17" VER_LANGUAGE="Language Neutral [0x0]" />

 

[Krille]

You've got a hardware problem. It might seem to be related to your AV software but that's likely only because it is the first kind of software you install that really taxes the system. I imagine you'll get the same result if installing and running a game with sufficiently high system requirements.

One pass through memtest86, no errors:

View attachment 43530

-CH-

One pass is not enough. Let it run overnight. I once reduced the CAS latency on a system of mine and memtest86 found no errors (even after several passes, IIRC). Happy as a clam over my apparently successful little "overclock", I proceeded to boot Windows and run Battlefield 2. After playing for a while (half an hour maybe?) I was disconnected from the server because I had failed the integrity check internal to BF2. In other words, the RAM contents was corrupt.

The CAS latency went back up and I was sad that BF2 was back to its regular, somewhat laggy, self. At the same time I was grateful that I had not caused any file system corruption. Anyway, the point is that you might need to run memtest86 for a long time before errors are found. The same goes for Prime95, which you still haven't run, it seems. Reinstalling Windows and AV software over and over again isn't going to change anything.

Also, if you haven't already done so, I would recommend doing a visual inspection of the motherboard to look for bulging or leaking capacitors. After all, this board is straight out from the bad caps era.

 

[Stone]

You've got a hardware problem.

...Also, if you haven't already done so, I would recommend doing a visual inspection of the motherboard to look for bulging or leaking capacitors. After all, this board is straight out from the bad caps era.

I'm inclined to agree with you.

Problem is... a visual inspection of the caps can only be fruitful if there is actually visual evidence and more often than not there isn't any.

Additionally, correct, thorough checking of caps can be a Royal Pita and this is true even if you have the correct equipment.

 

[Trixter]

an ABIT KW7 (socket 7 Athlon) motherboard

That's a socket A motherboard, not socket 7. Exactly what CPU do you have installed? (This is relevant because one of the errors you posted is a CPU invalid opcode error -- I'm wondering if the CPU is being detected as something it isn't, leading these programs to try to execute instructions that are invalid)

Also, run prime95 as people have suggested. It should survive at least 10 minutes on full burn.

 

[lowen]

For what it's worth, there is at least a proof-of-concept hard disk firmware rootkit for XP out in the wild; see: https://hackaday.com/2015/06/08/hard-drive-rootkit-is-frighteningly-persistent/. While that is probably not the case here, it is a possibility.

 

[clh333]

You've got a hardware problem. ... One pass is not enough. Let it run overnight.

Also, if you haven't already done so, I would recommend doing a visual inspection of the motherboard to look for bulging or leaking capacitors. After all, this board is straight out from the bad caps era.

The machine has been on for 24 hours. At 2 PM yesterday I started the Memtest program. I let it run until 6 AM today; 16 hours. There were no errors reported.

Immediately after stopping Memtest I started the processor "torture test", which ran from 6:04 AM until 12:04 PM, i. e. six hours. Again, there were no errors reported.

The machine has a 500W power supply and four fans, including a Gigabyte tower on the AMD Athlon 3000+ processor. (Socket A, as Trixter points out. My bad.) RAM is Corsair, purchased from Newegg, highly rated by other users, although of course that's no guarantee. But it's not overclocked at all. See pics below for stats.

I am aware that the board is from the era and the region that had problems with capacitors. I've had problems with those capacitors before, not only on motherboards but in Sony and Toshiba TVs, for example. But the motherboard problems I have experienced have been more along the lines of intermittent crashes shortly after boot, not selectively denying the execution of a certain class of program. In any case, the board is clean, it's in a tower, nobody has nested in there and the caps all have nice flat domes, no puddles under them or tilts in their kilts. And there must be 40 or more electrolytics that would have to be replaced; not for the faint of heart. PITA, as Stone observes, and I don't have the equipment for in-situ testing.

Thanks to all for their suggestions.

-CH-