LISTSERV - PCBUILD Archives - LISTSERV.ICORS.ORG

PCBUILD Archives

Personal Computer Hardware discussion List

PCBUILD@LISTSERV.ICORS.ORG

	LISTSERV Archives
	PCBUILD Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives
Options:	Use Forum View Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]
Subject:	Re: Editing/clearing Rom (UMB?)?
From:	Ellen <[log in to unmask]>
Reply To:	PCBUILD - Personal Computer Hardware discussion List <[log in to unmask]>
Date:	Fri, 21 Dec 2001 13:59:44 -0800
Content-Type:	text/plain
Parts/Attachments:	text/plain (187 lines)
--- [log in to unmask] wrote:
>   Deep breath ....  Okay ....


Thanks for your reply David. I apologize for the delay
with my reply, but this was sent yesterday and was
rejected for not including my full name. I always
forget that until after my email's been sent....

1. Yes, after NAV found JS Seeker I booted into it and
ran it. It detected nothng then and has detected
nothing since.

For what it's worth, my theory about "my" hacker is
that he was in my pc prior to sending
the virus (I installed my firewall AFTER I discovered
he was in my pc). Using viruses, trojans, etc. doesn't
seem to be his "style" -
he prefers more subtlety; using hacked, legitimate
software. Anyway, I think he made all the changes to
my system he needed to in order to gain control, and
THEN sent Seeker in. I'm assuming, by it's name, that
Seeker "seeks" a specified target. He did this for one
of two reasons: because he knew that would get my
attention (it probably would alert me to the fact that
something was "up" in my files, and isn't that part of
the malicious hacker thrill?
Watching their victims freak out and try to escape?)
Or because the file that Seeker destroyed was
Uninstall.exe, and he knew that without that file I
wouldn't be able to delete "his version" of Win98. But
I doubt the latter, because my hard drive was already
FAT32 so I couldn't "lose" Win98 anyway. I'm sure he
already knew that.

Speaking of which, I read two articles  specifically
stating that if your HD is FAT32, or you don't use
Uninstall.exe to uninstall Win98, you will ever get
rid of it:

I can't do direct linking from here (grrrrr). Sorry!
Anyway:

1)
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q186102

@ Support.microsoft.com., Windows 98, Article #
Q186102

2)
http://fixwindows.com/win98/uninstall.htm

@ FixWindows.com, Windows 98, Uninstall Windows 98


2.There was never a virus in the boot sector. However,
after I fdisked/formatted the last time, Disk Doctor
said my C: boot sector was corrupt. I fdisked the MBR
and it solved the problem.

3. There are 2 reasons I flashed the bios (other than
it just wasn't a bad idea anyway):

1) the bios being the first place that's more or less
"writeable" (see my point 2) and right behind the CPU
on start-up, any "misdirection" in there would
misdirect everything else down the line. Plus, any
"misdirection" in the bios would remain with my pc
until the bios was updated again. Adding to this was
the fact that my bios was at a level 8 and I'd read
that the bios for my model should be at a level 10.
But whenever I went to Dell.com, my pc was "read" and
I was told I didn't need an update. Which leads me
directly to... 2) This guy is obviously very clever,
and it's quite likely that he can write code. What's
to prevent him from downloading a Dell bios update,
rewriting it to his specifications, and then flashing
my bios with it? Tying back with point #1, his code
could include something telling Dell.com that I don't
NEED a bios update.

Maybe I'm giving this guy too much credit for brains,
but I don't think so...

4. Re: what you said about his possibly adjusting the
SysAdmin tool to have what he wrote remain despite
fdisking/formatting. "He" was definitely in my Systems
Administation. I'm
able to write new sysadmin policies in Config.com, but
I don't have "permission" to save them. "Permission
denied. See system administrator" is what I get when I
try to save my policies, OR when I try to view/edit
the current saved policies. (It's also what I get when
I try to open certain system files)

5. Yes, GoBack is Roxio software and is very similar
to System Restore in WinME. And I never downloaded or
used it. Besides, doesn't the IO extension
("GoBack.io") mean it's in the IO.SYS file? My
downloading it wouldn't get it there.

6. I know the Internet is, in a sense, a network. I
used the incorrect term - I MEANT
a specific LAN or WAN - and not one simply tied into
my ISP. My point was that somehow, .cab files had been
added to my system while I was online, DESPITE my
firewall, which should have prevented that. I'd
downloaded nothing either, so it wasn't a case of
IP/URL spoofing or someone adding code to my
downloads. The only thing I could come up with was
that I was made a part of his network PRIOR TO my
installing my firewall, and somehow "permission" for
this network to come in through my firewall had been
granted.

7. Maybe I was unclear about what I was saying about
the A: & B: drives. The point there was that after
booting into a floppy, with the floppy still in the
drive, the directory (files, file size and date)
displayed for drive A: was NOT the directory of the
floppy disk. The directory of the floppy was displayed
as drive B:. And both were DRASTICALLY DIFFERENT from
each other!

The way the drive directory differences tie back is
that 1) I have no idea what drive A: could be. It's
not reading a disk in the floppy drive, and Disk
Doctor/Scandisk tell me drive A: has a corrupt Root
Directory. Also, this was after I'd fdisked/formatted
C: and had fdisked the MBR, so it wasn't mistakenly
reading drive C:. 2) Disk Doctor/Scandisk are saying
it's all corrupted; I can't edit it with Disk Editor
nor
can I access it; I can't even SEE it when I'm not in
DOS -- all these add up, to me anyway, to whatever he
put into my system being in this
mysterious drive A:. And if I can access it, and clear
or edit it, my problems wll be over!!

8. I asked about UMB's/ROM because of the fact that I
can only "see" this mysterious drive A: directory
while I'm in DOS ( thus UMB), and because I can't edit
it (thus ROM).

Netware and EMM386 are both installed on my pc - I
never downloaded them.
In my System Configuation Utility (Msconfig) under
System.ini, there's a file "386enh.ini"
which contains: ebios = *ebios (hmmm maybe I wasn't
wrong about the bios); woafont = dosapp.fon; device =
*int 13 (which is part of the debug command - maybe
that's why none of debugs I ran seemed to do anything)
and many more. And then another file "boot.ini" which
contains "386Grabber = vgafull.3gr". So EMM386 has
definitely been applied and is running.

Anyway, doing more fdisking or debugging and
formatting of drive C: isn't going to get rid of this
- I've been doing all that since August
and I've obviously gotten nowhere.

That's why I was open to ANY suggestions on where this
drive A: might be. Be imaginative! This guy obviously
is....

I have additional info, which I couldn't add here
(eeeek). So I'm posting it separately, but with the
same thread.

This is driving me nuts already...

So is there a way to access UMB or ROM?

Thanks again,
Ellen Williamson



__________________________________________________
Do You Yahoo!?
Send your FREE holiday greetings online!
http://greetings.yahoo.com

              The NOSPIN Group is now offering Free PC Tech
                     support at our newest website:
                          http://freepctech.com
ATOM RSS1 RSS2
LISTSERV.ICORS.ORG