lufthansen

Bios virus?

Recommended Posts

My server started acting funny, and I decided to flush everything and reinstall XP Pro SP2.

I put in a new hard drive. I started installing, and every time the installing process would be unable to read comsetup.dll, cyycoins.chm, cyzcoins.chm etc. By holding down "enter" it would eventually install the files, but a very messy setup.

Half way in the setup, after first reboot, it would halt and claim the files on the CD being not valid or not signed by Microsoft.

I went and bought a new XP Pro, and the same thing happened all over again. Same files it stalled on.

Now I suspect there is a virus in the bios. How can I get rid of it?

The PC is a Asus NCCH-DL, with 1005 bios. It has a highpoint Rocketraid 1820 installed, also with the latest bios.

Recent hardware changes before the server started acting up was to install an Ati x800 AIW graphics card (agp). It replaced an ASUS ati 9600 pro who would drop signal infrequently.

The power supply is Antec true 550w.

I don't want to loose the raid (5), so I am grateful for any advice on how to cure the server.

If it is the bios, let me know how to fix it. (I've flashed it once in the hope of overwriting any virus).

If it is something else in my setup that is obviously wrong, let me know as well.

Thanks

Share this post


Link to post
Share on other sites

I ran into trouble after installing Vista RC1 that required zeroing the drive, removing the Master Boot Record (boot block?).

I was seeing a lot of services like "Windows Sharing" and ports being opened and remote login allowed. I had to tighten down all of those services specially in the router, out AND inbound to get back in control as well to prevent it happening again.

And I don't know where or how it happened. I first noticed it when trying to setup a new laser printer would only work if printer sharing was enabled. All of these 'services' could not be stopped, and if turned off, would re-enable on their own.

I thought at first it was the Lexmark driver doing so and started working with their people but they assured me - and I have now confirmed it isn't from them. The printer is now configured fine, but at the time, if a couple services were closed/blocked the printer would fail in setup configuration.

And there were the ssh attempts in the log for firewall.

I've used computers for decades and never been so freaked or scared that "something" seemed to take control of my system.

Share this post


Link to post
Share on other sites

Work in progress:

after unplugging the network cable it seem to be having less trouble accepting the files from the CD.....

Here's a list over files it couldn't read:

Comsetup.dll was not copied correctly.

The file Setup placed on your hard drive is not a valid Windows XP system image

Cyycoins.chm

Cyzcoins.chm

Digiras

Esent97.dll

Kodak_dc.icm

Nikedrv.sys

Spnike.dll

Sprio600.dll

Streamci.dll

Usbcamd.sys

Usbcamd2.sys

Vdmindvd.sys

Wowfax.dll

Usrdpa.dll

Usrshuta.exe

Msvbvm60.dll

Xpsp2res.dll

Wmsdmoe2.dll

After reboot:

Cannot copy

Tscfgwmi.dl_

... I'll keep you posted.

Also: While I had it up and running after first attempt, it would not let me install Trendmicro Pcillin Internet Security 2005. After several attempts I managed to get it installed, but upon trying to scan for viruses, the AV program kept asking for files to scan - it did not see any files to scan....

Share this post


Link to post
Share on other sites

an update: extracted and replaced all the problem files from the XP pro cd.

Next: Trying to install TrendMicro Pcillin from original installation CD. Message: The contents of this file cannot be unpacked. The executable you are attempting to run has been corrupted. Please obtain another copy of the file, verify its integrity, and try again.

Why do I feel a virus?

Share this post


Link to post
Share on other sites
an update: extracted and replaced all the problem files from the XP pro cd.

Next: Trying to install TrendMicro Pcillin from original installation CD. Message: The contents of this file cannot be unpacked. The executable you are attempting to run has been corrupted. Please obtain another copy of the file, verify its integrity, and try again.

Why do I feel a virus?

If the CD's are genuine OEM then set aside the thoughts of a virus and start considering your hardware.

You spec'd the hardware out to us on earlier posts so let's go from there.

Start pulling RAM and disable the onboard hardware until you are at the bare minimum levels of operation. Pull and replace IDE and SATA cables while you are at it too. You mentioned that the problems started up when you did a vid card swapout. Put an old vid card in that you KNOW is working. Then try agian.

If that fails, get an old working CDROM out and put it in.

If that fails, i'd be thinking there might be problems with the mainboard. Take a look at the board and see if you can see anything out of the ordinary. For instance, capacitors that are bulging and appear to be stained on their tops. Or diodes (the black square things with 3 silver contacts on one end) that appear to be discolored on it or around on the board surface itself. If you see anything like that on the board, then it's time to order a replacement MoBo.

While you are waiting for the board to come in, take a peek inside the power supply and see if the capacitors and electronics are intact on it. Just don't touch anything in it! There is 120V standing on certain parts and it can dish out a nasty wallop!

Share this post


Link to post
Share on other sites
My server started acting funny, and I decided to flush everything and reinstall XP Pro SP2.

Yes I also think it's a hardware problem. I've previously seen very much the same type of symptoms with faulty or marginal RAM.

Share this post


Link to post
Share on other sites

Now things to work fairly ok/stable until I reattach the rocketraid 1820A v1.2

It boots up fine, but crash on the av.

After uninstalling trendmicro and trying norton instead, it won't let me install. Same message: files corrupted, or crc checksum mismatch.

I'll do the hardware deduction and see if it works out. Do I need to diable onboard lan/audio as well?

Share this post


Link to post
Share on other sites

Reports are starting to trickle in on new 0day eeprom w0rm.

Just so you know, you are not alone. rest of the payload comes in thru www port. Nothing we can do about it unless we stop browsing internet :P

Edited by script@kiddy

Share this post


Link to post
Share on other sites

I echo the other guys comments on RAM. I've had this issue many times and it always turns out to either 1 of two things. CPU and/or RAM timings or just plain faulty RAM.

Share this post


Link to post
Share on other sites

If it's hardware related, let me give you a more thorough inventory list:

8x300gb Diamondmax10 sata 150 in raid5 on a rocketraid 1820a v 1.2 (bios 1.13)

1x300gb Diamondmax10 sata 150 on primary master running XP pro sp2 os.

1x Plextor 716A DVD burner (bios 1.10) on secondary master

1x Adaptec Duo USB/ Firewire combocard on first pci slot

Onboard audio disabled

Motherboard Asus NCCH-DL (bios 1005)

2x3ghz nocona cpu's

Graphics card asus ati 9600 on agp slot

2gb 400ddr ram

Antec 550w psu

It is all watercooled, but that's beside the point, except the fact that I don't have any overheating.

Appreciate any input on this - i.e. if anything pops out as obvious problems.

Two items on my check list is to throw out the additional USB/Firewire card and just stick to the onboard - and I am not sure if the PSU gives enough juice... should it be replaced by 650w?

Share this post


Link to post
Share on other sites
what media are you using to install? pressed microsoft media? or something you have burned?

They're both Microsoft original CD's, with bronze coating etc.

Share this post


Link to post
Share on other sites

Just a reality check, or evidence of ignorance; If there was a cmos virus, I would not be able to boot - am I right?

Just so I can rule that out and continue on the hardware . . .

In the minimal setup, should I also disable the onboard NIC?

Share this post


Link to post
Share on other sites

Since my problems escalated after upgrading the Asus ati 9600 pro to ati x800, I'm thinking this puppy might be the cause of my griefs. This post at the http://www.rage3d.com/board/showthread.php?t=33630746 talks about turning off windows file protection etc. Sounds like a very messy driver procedure from ATI. Maybe they are too busy marrying Amd to write serious software...

a quote from the post:

"

ATI drivers do not always uninstall/update very well so I have my own foolproof method to make sure that everything goes as planned. This is geared towards WinXP, but the principles are the same in all Windows OS's. This the closest I can get to a clean install of ATI drivers/SW that I have figured out short of a reformat.

You will need to disable Windows File Protection (WFP) or do the file deletions in the \system32 folder while in safe mode depending on your system configuration. To disable WFP, I use X-Setup by X-teq (free, very powerful system tweaker) and you should have no problems deleting any file. Otherwise Safe Mode should work just fine. (press F8 during startup and select Safe Mode)

Items you will need before you start:

Download all of the necessary drivers from here

Download and install Regcleaner (the best registry tool out there) from here.

System purging procedure:

Uninstall all ATI SW, drivers, hydravision, MMC, remote SW, whatever because it makes it easier to clean up your system and it won't cause problems when restarting. Don't reboot until everything is uninstalled.

Delete the following directories:

C:\ATI

C:\Program Files\ATI Multimedia

C:\Program Files\ATI Technology

C:\Program Files\Common Files\Raviscent Shared

note: you may not have all of these depending on your card type, just delete the ones you have

Clean out the C:\Windows\Temp directory. There is a chance there are some driver files in there as well.

Go to the C:Windows\system32 directory, make sure you are in detail view and right click on the header (where name, file type, date modified...is) and select more and check the box for Company. Then double click on the Company header and then delete all of the ATI files in there. Do the same for the C:Windows\system32\drivers directory.

Go to the C:\Windows\inf directory and delete any file that starts with ATI (open the inf files in notepad). Then go down to each file named oemxx.inf and open it, delete any that refer to ATI. Make sure that you delete the corresponding .pnf file as well.

Run Regcleaner. Delete any ATI entries.

Empty the Recycle Bin.

Unplug your internet connection or disable it. (Mainly for WinXP) If you don't Windows will try to download a driver for you and install it.

Reboot"

Share this post


Link to post
Share on other sites

Smooth ride until reinserting the Rocketraid 1820A v. 1.2

Could be controller failure or (god forbid) raid failure. Too much fiddling? Those connectors are pretty sloppy..

Share this post


Link to post
Share on other sites

Rebuilt raid successfully.

Damage controll going on. Then let's see.

For the future: is there any point running a mirror software like mirrorfolder to safeguard me from a faulty raid? At one scary moment my raid 5 had lost 4 of 8 drives...

Share this post


Link to post
Share on other sites

4 successful reboots w rebuilt rocketraid 1820A raid5.

then inserted adaptec firewire/usb combo card, and it starts having problems booting to windows again.

anyone recognice this as an issue?

Share this post


Link to post
Share on other sites

This error is always due to data corruption. Mostly RAM, but in your case seems to be PCI or RAID adapter.

Share this post


Link to post
Share on other sites

I wouuld try running MemTest86 first to see if there is any sort of RAM issue. Let it run overnight. I have seen system fail with certain hardware because that hardware uses part of RAM that is bad.

Share this post


Link to post
Share on other sites
I wouuld try running MemTest86 first to see if there is any sort of RAM issue. Let it run overnight. I have seen system fail with certain hardware because that hardware uses part of RAM that is bad.

Thank's for the tip. I'll let it run overnight.

btw: System ran ok for 4 days not doing anything (except for transferring all files from the raid to other drives).

Then, when 30mb of web files was left, it hang while transferring a xml file. Hard reset. Raid failure ( 4 of 5 drives missing). Post failure. Reboot. Broken raid, but now only one drive missing. Booting to XP and rebuilding raid with the gui.

And then a suspicious event; The newly installed symantec Internet security was now missing the antivirus scanner, the firewall and the pfishing filter.

I immediately disconnected. Uninstalled Symantec and is now trying the Trendmicro again. I'll keep you posted.

I'll let the memtest run overnight. If nothing wrong I'll convert the computer into a toaster...

Share this post


Link to post
Share on other sites

It has been running for 3 days without major hickups. Trendmicro back in. Ran sfc, and it replaced a bunch of drivers. Roxio EMC 9 keeps trying to install media experience, but can't find the installer. Chkdsk then went ahead "replacing invalid security id with default security id for file %filename%" on all files that were placed back onto the raid.

Interestingly enough, I haven't found any corrupted files rescued from the raid so far...

I'm going ahead and restoring the pc with caution. The toaster option is still open...

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now