LISTSERV - PCBUILD Archives - LISTSERV.ICORS.ORG

PCBUILD Archives

Personal Computer Hardware discussion List

PCBUILD@LISTSERV.ICORS.ORG

	LISTSERV Archives
	PCBUILD Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives
Options:	Use Forum View Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]
Subject:	Re: Editing/clearing Rom (UMB?)?
From:	[log in to unmask]
Reply To:	PCBUILD - Personal Computer Hardware discussion List <[log in to unmask]>
Date:	Thu, 20 Dec 2001 02:27:44 -0800
Content-Type:	text/plain
Parts/Attachments:	text/plain (142 lines)
  Deep breath ....  Okay ....

On 19 Dec 2001, at 14:26, Ellen Williamson wrote:

> I'm hoping someone out there can help me with a problem I've had
> since August. I'm still not back online with this computer and I'm
> about ready to throw it out the window.
>
> I'll try and make this as brief as possible, but there are 6
> months of info to cull through so please bear with me.
>
> I have a Dell Dimension 4100 / Pentium III 866 Mhz / 20.4 Gb HD /
> 128 Mb RAM / Win98SE (OEM, factory loaded) / dial-up internet at
> the time, on a 2nd phone line so always plugged in. It's a stand
> alone computer and I'm the only user.


> I'd had AOL connection problems and Norton AV had found and
> removed JS Seeker (similar to William Closure's problem) right
> before I - quite accidentally - discovered I'd been hacked in
> August. The registry, and all my files (personal as well as
> system) had been ransacked and changed around. They had hacked
> into my AOL connection, and because of this, other files I found,
> and strange things happening online, I suspect my computer had
> been made into some sort of server on their network.

  Okay, you had a (at *least* one) virus, and an intrusion.

  Did you boot from the Norton-supplied diskette?  If not, you may
have had additional infestations that got a chance to hide from it.

> I tried fdisking, formatting & flashing my bios, but all the
> "altered" registry and system files came back with the Windows
> reinstall. Manually editing the registy didn't work either - as
> soon as I rebooted, the changes I'd made were gone. (In the
> registry, in a file named "Unmoveable files" I found 5 files,
> including GoBack.IO (which might explain why my changes don't
> stick) and Bootlok.lk).

  A boot sector virus could survive fdisking and formatting.
Flashing the BIOS shouldn't be relevant, unless you'd been hit by one
of the handful of viruses that flashes the BIOS -- which would have
left your system unable to boot in order to repair it!
  Having your registry changes not survive a reboot sounds rather
like an effect available through the Policy Editor tool in Windows.
It's possible that whoever hacked into your machine has activated
this feature to make it hard for you to remove him.
  I believe "GoBack" is a commercial product which allows a machine
to return to a saved state in case of a crash or power interruption.
If you haven't bought and installed that product, it's possible that
your intruder is using a hacked version of it to, again, make it hard
for you to get rid of him.

> I changed ISP's and installed Norton Securities, but the MINUTE I
> got back online I was hit with 3 netbus attempts. Norton says this
> doesn't mean it was a trojan attempt, that it coud just be someone
> on your network trying to gain access to your computer. But I'm
> not on  network! And when I got offline soon after, I discovered
> new .cab files had been added to my Windows folder despite m
> firewall (another reason I suspect I'm on their network).

  Whoa!  Need to clarify something here.  When you "got back online",
you WERE "on network" -- the Internet!
  What Norton has intercepted is someone(s), out there on the
Internet somewhere, trying to connect to your machine as if it had
the NetBus trojan on it *in NetBus's default configuration*.  The
fact that they tried doesn't mean it's on there -- there are machines
scanning most of the Internet, day and night, trying this, and they
"get lucky" FAR TOO OFTEN.
  However, the fact that Norton caught and stopped these attempts
doesn't automatically mean you're safe.  If your intruder installed a
Trojan, he may have customized the configuration so that these
searchers would not find it and spoil his fun.  (Which is another
reason why such scans *should* be a waste of time.  If somebody went
to the trouble of installing NetBus, but didn't bother to customize
it, then there's probably little "of interest" on this machine --
except as a place to launch further scans, intrusions, or DDoS
attacks from.)

> I did find something concrete recently though: with no OS
> installed and booting into DOS with a "good" Win98 bootdisk, both
> Norton Disk Doctor and Scandisk tell me drive A:\ root directory
> is corrupted, starting with cluster 2, IO.SYS, and going through
> the entire drive. Please note: neither is reading the FLOPPY drive
> as drive A:\, the floppy disk contents are shown under DIR B:\.
> Neither utility is able to correct the corruption either: I get an
> error when I try to edit it and the message I get when they try to
> move the damaged cluster is: "Can't move damamged damaged cluster.
> No space on Drive".

  On a machine with a single floppy drive, it should be readable from
DOS as both A: and B:.
  I don't see a way for this to relate to the problems above.

> One other weird thing I want to mention is that MS System
> Information is reading my computer as "Genuine Intel, x86 Famiy 6
> Model 8 Stepping 3". ?? I have no clue what that is. Dell says
> it's just a mistake, but both my isp's were reading it the same
> way.

  If you check out
http://support.intel.com/support/processors/sspec/p3p.htm
you'll see that a CPUID value of "0683" is normal for most 866 MHz P-
III CPU chips.  This is the value that MS System Information is
reading and reporting, and appears to be correct.

> Anyway, there are lots more details but hopefully this will
> suffice (it's LONG enough). My questions about all of this are:
>
> 1) What and where could this drive A:/ be? I suspect it's ROM
> (probably in DOS and loading into UMB with on a Windows boot)

  No.  Whatever it is, it *can't* be a ROM and I don't think UMBs are
supported for that kind of thing under Win 9x.

> 2) If it is ROM/UMB, can I access this at all? Clear it? Replace
> it with a "good" root directory? Edit it with "counter" commands?

  It's not, so no.

> 3) I read just yesterday that if your HD is FAT32 (mine is) and/or
> you don't uninstall Win98 with Uninstall.exe (which is the file JS
> Seeker destroyed, although its name had been changed), you can
> NEVER totally get rid of Win98. Is this true?

  I don't think this is very likely.

> ANY help, advice or comments would be sooo appreciated....

  I hope some of this helps.  I think a reformat, including rewriting
the MBR, and complete re-install, is probably called for.  Note that
anything you may have backed up may include virus and/or trojan
contamination, and so must be scanned with an up-to-date virus
checker before being restored -- better to re-install from the
original CD(s).

Dave Gillett

            Do you want to signoff PCBUILD or just change to
                    Digest mode - visit our web site:
                   http://freepctech.com/pcbuild.shtml
ATOM RSS1 RSS2
LISTSERV.ICORS.ORG