Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Mega problems-sophisticated, unfindable malware

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Mega problems-sophisticated, unfindable malware

Unread postby faster » August 1st, 2007, 7:41 pm

I've got serious PC problems. This is long-winded because it has to be to describe everything.

It was a chore just getting online long enough to post this - I'll respond to your response when I do get back.

I use W98SE by preference, though I'll be forced out of it one day soon, I'm sure. I have a junky Via Technologies motherboard, and it may cause some of the problems, but can't possibly be responsible for them all.

Sometimes, though, a freeze will engender a blank screen which says "Sync out of range" as it floats around. That's something the board did before it had been fully configured and an OS installed. Also, my AVG antivirus often shows a "read error" in both the MRU and boot sectors. Usually only when I scan in Safe Mode, but I've gotten it in Windows too. I then go online and launch "Magic BIOS" which came with the board. IT says my configuration is newer than the one they have to offer, and all is fine. But I think they do fix the problem, because it is gone after that - but only for a very short time. Then I have to repeat the procedure again. Since the read error has only been showing up in Safe Mode recently, but not in a Windows scan, I've let it be for a while.

Also, sometimes things I have changed in BIOS don't STAY changed. THAT may indeed be the motherboard. But whatever is messing with my system functions best before the system enters Windows. So it goes deep. Maybe deep enough to affect BIOS itself. Still, even though it can have deep effects, doesn't mean the malware itself isn't residing in Windows proper. I just don't know much about these things.

The other system stats that I can think of are:

256MB RAM (DIMM), 2.2Ghz Intel Celeron processor, brand new 80G hard drive, less than half full, Junky soundcard that calls itself Sound Blaster but isn't - it's an Ensoniq, which only synthesizes SB sound, with a "Legacy Device", but carries the SB label - a real cheat. It's a "Sound Blaster Audio126PCI." And it stinks. I suspect it, too, may have a hand in some of my PC woes, but don't know how.

I have my old 80G hard drive on the system, too. I wanted to use it as a storage place, because it has many bad sectors, and can't be trusted to use RAM. But there are a lot of files still on it that even formatting can't get rid of. Before getting the new HD, this puppy was showing lots of files with two-digit "extensions" which scandisk or Ontrack's "Disk Fixer" wanted to truncate. There were THOUSANDS of such files, and so I stopped letting them get "fixed," but by then some additional damage had already been done. Some of those files remain on that drive, probably in the bad sectors. I feel they may contribute to my problems with the new drive. So I have disconnected its configuration so it doesn't show up in My Computer any more, although it's still physically attached. Some of those "two-digit extension" files may have infected my new HD from the old one. The two-letter extensions were often of "geek-type" programming symbols.

Oddly enough, I'd been wondering for a while why my Tangomanager (the program that gets me online) couldn't seem to find and use my PPPoE modem. After I finally disconnected my old HD in BIOS, it suddenly learned how! So that D drive was certainly doing something unlovely with my new one.

The PC freezes constantly, but not always in the same fashion. Most of the time everything just stops - no mouse, no keyboard, no nothing. I'd thought getting the new hard drive would solve that -it didn't. If anything, it's worse now. I used to be able to ward off freezes for quite some time simply by launching a particular game (Dune 2000), which allowed me to stay online - often for hours, especially if I didn't try to view any videos, but even then, the game allowed a goodly amount of videos before finally freezing. Don't know why. But now, even the game itself usually freezes within a few minutes. It didn't used to. Only rarely does it NOT freeze.

When the freeze takes the form of everything just stopping (for several years now), it now has something new - one or two bars across the full width of the screen that appear to zip across the screen from left to right, and contain dots and dashes (some short and others long) in a variety of colors. The bars are usually about 1/2" wide, but I got one once that was over 2" wide. Once or twice they appeared to keep moving or at least "twinkling". There have been other effects, but usually only once or twice. These bars don't happen every time, but are quite common now. If low enough, the dots and dashes make icons in the task bar appear blurred or smeared with these new colors. It never gave these bars of colors before I got the new HD. Don't know if that means much, though.

Sometimes a game will suddenly "wink out" - unlaunch itself a whole lot faster than shutting it down ever could. Then I either find myself with a frozen system, or just back at the desktop (but functional), or else kicked smack into a reboot that I'd never asked for.

The only errors found by scanning the disk are the ones brought about by the precipitous reboot: free cluster count not matching up. Sometimes booglog.prv (in C:\) or tvdebug.log (from ZoneAlarm Pro) have to have the sizes adjusted, but rarely anything else. I usually use Ontrack's "Disk Fixer", but sometimes the original Scandisk finds things it doesn't.

Going online results in freezes faster than anything else, particularly if I want to view videos on CNN. This suggests that the sound card may be behind some freezes.

My browser is IE6, because my preference, Firefox, simply cannot find the Windows Media Player and only tells me to download it - which is already done. So I have no choice but to use IE a lot - which I detest. Using both browsers at the same time eats RAM for lunch, so I don't do it often.

The system seems to be RAM-hungry even in Safe Mode - I'm in it now, with only this note, Explorer and FreeRAM XP Pro running (Ctl-Alt-Del) and yet I have only 38MB of RAM! I have more of it in Windows right after booting up, even with the programs loaded that start with Windows! I usually have around 70-90MB of RAM still free. Go figure?

A file, probably legitimate, called IOS.LOG keeps getting updated to the last reboot or freeze, and it says:

Unit number 00 going through real mode drivers.
Unit number 01 going through real mode drivers.
Unit number 02 going through real mode drivers.

Driver Name:

I don't know what that means. Nor does it seem complete.

The protections I use:

ZoneAlarm Pro - ALWAYS operational, and I shut off all internet access when not intentionally online. I don't understand how to use all configurations, but of those I do know, I tend to set conservatively.

Antivirus - varies. I like AVG Free because it can scan in DOS, and it lets me resume a scan that gets cut off - and with all the freezes, I know how to appreciate THAT! I think Avast! (free version) is superior, though. I only use one at a time, uninstalling the one I had, and installing the new one. I have also used Kaspersky, but its free version is only temporary - less than the 30 days it says you can have. But a full scan with it turned up nothing.

Aside from antivirals, I also use AdAware Pro, Spybot S&D, and I've used HijackThis occasionally.

Despite all my protections and personal caution, ALL antivirals and others have turned stuff up, but none of it affecting the problems shown here. Avast! scans keep turning up a Trojan that I'd eliminated AGES ago. The file it "finds" hasn't existed for quite some time, so how can the scan still detect it? Wierd.

Whatever is messing up my system, it is highly sophisticated. It can insert a file into my system (or use an existing one) showing 0 bytes, yet it has content that only appears when I try to edit the file in DOS, press the delete button, and save the file. Then two bytes show up.

Here's what I have learned - after a LOT of hours and days of digging.

No antivirus seems able to pick up on this malware. There's a small possibility the problem is in the motherboard, but I seriously doubt it. Some scans that take a long time will freeze in both Windows and Safe Mode, so I can't finish the scan. Of those that finish - nothing.

Here are some of my findings:

System.ini file is often altered to remove a specific section, the TTFontDimensionCache. I got tired of having to keep replacing that, so I made the file read only. Of course that means legit files needing to write to it can't. Removing the attribute guaranees a quick freeze, so I have to undo it, let the needed application write to it, and reapply the readonly fast. Despite being read-only, every time the system freezes, DOS will show the file having been
modified in the last few minutes, even though it wasn't! I guess it gets recorded as a "modify" simply from making the attempt. So it tried to take out the Font Cache and failed. This messing with System.ini is extremely persistent.

Only a day ago, I discovered that something was turning both User.dat and System.dat into read only files. No sooner would I change those attributes in Safe Mode or Windows than it would reappear. Since it's my understanding that these two files are extremely dynamic files, both used and written to often by the PC, a read-only attribute is highly unnatural, and may be responsible for most of these freezes. Even as I am typing this in Safe Mode, these two files have changed themselves BACK into read-only several times! I have no idea why they would even be used in Safe Mode in the first place, but maybe they are - I don't know.

After I played around with WNBOOTNG.STS to keep it from disappearing in Windows, there suddenly appeared a second folder in Windows called Temporary Internet Files, but with geek letters and symbols (about 4) following that. The folder contained a desktop.ini and four folders, with password-like names. Each folder contained only its own desktop.ini file, and they all appeared to have the same contents. The contents made reference to a CLSID, so I searched the registry for the long jumbled letter-number file name. It didn't exist.

The "playing" I did was to try to force this file to be accessible in Windows. It never had done so, and I wanted to see it in the light of day. So I copied it, then opened it in DOS, typed some letters into it and saved it under a different name. Then in DOS I opened the new file, and saved it under the name of the original. It worked.

I edited each file and folder in this new TempInternet folder, erasing each document and making it read only, removing the archive attribute, and saving it as such. I made the folders read only also, adding the attribute of archive. Then I had to rename the whole thing. So I substituted Baad for the four geek letters. The folder is still there. But so are all my problems!

Oddly, now, when I get a directory of Windows in pure DOS, there are two. One is the proper Internet Files folder, and the other is named "Tempor~3". It was the folder I had earlier altered. Where's ~2? When I tried to open the 2 folder, it didn't exist. But it must, or DOS wouldn't give the folder I altered the number 3. In Safe Mode, there are still only two, the original and the one I had altered.

I have wierd files popping up in Windows. WNBOOTNG.STS only appears on occasion, which is why I had to "play around" in order to keep it from disappearing again, and so I could see what was in it, in Windows itself. When I had altered it, and got to see its contents in Windows, nothing showed up but my alterations, but there WAS something there, because editing it in DOS, deleting and saving, gave it two bytes, also, just as those other two files did. There was SOMETHING in the file, even though in DOS it said it had 0 bytes. In addition, forcing the appearance of WNBOOTNG.STS in Windows was the thing which made that second "Temporary Internet Files" folder also appear in Windows. As Count Dracula once said, "the clot thickens."

WMSYSPR9.PRX I was able to eliminate - with difficulty. I don't know what it had in it, but so far it hasn't come back. It, too, had had to be renamed before I could delete it.

XREF.INI and NDISLOG.TXT show 0 bytes, yet when I tried to delete them, I was denied access - in pure DOS! I think ndislog.txt is possibly a legit file, being used by the malware. So I tried to edit them in DOS. I did nothing more than to push the delete button and close the file, but was asked if I want to save it. Saying yes, results in a file which has somehow just GAINED 2 bytes! I had subtracted data and added none. Wierd, huh?

I think it was these two files - but certain files that were definitely "unnatural" listed here could be edited, but when I tried to either move or erase them in DOS, it would say either "access denied" or claim the file didn't exist at all! Yet it showed in the directory list and it could be edited. Some said the file didn't exist, yet permitted it to be copied elsewhere, too. Whaaa?

Although the problem with system.ini has been with me for several YEARS, these others are newer, but I have no idea by how much. Some may have been there all along, because they're so terribly hard to find.

I just put two files from the System folder into a new folder in System which I named "suspect". They are HWINFOD.VXD and MSISYS.VXD. Both show as having been modified when there was no need for it, and neither one can be replaced by System File checker, so they're not part of the OS files.

MSISYS.VXD says it's a Microsoft product "System Information for Windows 95." I have W98SE. It may have been put there by a legitimate installation, but don't know why it would have to be modified in a session where I had done very little. The reference to "system information" made me suspect it was being used to alter how my system functions, so I stuck it temporarily "out of the way."

HWINFOD.VXD is even more suspect. I has no version tab, nothing to explain where it came from or what it does. Yet, it, too, was modified, where I saw no reason for a virtual device to have been used.

Both these suspect files may be innocent ones - I just don't know. I'm getting positively paranoid about unfamiliar files on my system - I imagine by now you can figure out why.

Other things which have shown up (but not habitually) include:

Making me have to update the TCP/IP driver, which I had already seen to it was updated the last time I reinstalled Windows. It shouldn't be needed again.

Just today, I've gone into Safe Mode after a crash, scanned the disk and fixed errors, then tried to reboot with bootlog.txt (after being sure it was not shortened), and I get told that windows didn't load properly last time (even though it had loaded fine, but crashed later), and wanting me to go into Safe Mode (even though I'd just BEEN there fixing stuff). Why? This has now happened several times. I don't know whether it ties in with anything or not.

Oh, and once - just once - I found two e-mail addresses in my Thunderbird address book that were QUITE obviously originated by spyware or spam. How they got there, I don't know. I use Mailwasher to look at all my mail before letting it into my Thunderbird program. I NEVER open mail that isn't known, and never open attachments without inquiring first. I follow all the recommended precautions, such as limiting the cookies and scripts I'll allow online, and only on VERY rare occasions do I go to a site that I think might not be worth trusting. In such cases, I tend to block just about everything while I'm there, and don't stay long.

Yet I do get a LOT of spam sometimes. Right now around 20-50 per day. That's low, compared to average, I imagine, but it means somebody's got my e-mail address out there, and some is coming from Mailwasher's "original blacklist," too.

Since it is highly unlikely that a hardware problem can insert files or alter existing ones in a very specific manner, I can't help but conclude that a whole lot of my problems are malware.

UNFINDABLE malware.
faster
Active Member
 
Posts: 1
Joined: July 25th, 2007, 10:03 pm
Advertisement
Register to Remove

Unread postby Elrond » August 8th, 2007, 1:46 pm

Hi Faster

I have bad news for you. What you are describing does not sound as primarily malware problems. It sounds as if you have serious hardware problems and you are at risk of losing all your data if you have not backed it up.
It sounds as if at least the older disk is failing fast but I would be suprissed if, from what you describe, that is the only hardware problem you have.

It also sounds as if the Windows 98SE installation is corrupted. Some of the files that you have tried to tweak do not sound as if they are in perfect shape either. This means that once you have gotten the hardware problems under control you would need to reinstall the Operating System.
If you would go that rout if it is possible I would still advice you to upgrade your OS to Windows XP for security reasons. Windows 98 is not supported anymore and there are no new patches published which means that any security holes that are found are left unpatched and wide open for attack.

I am afraid that the computer seems to be on its last leg and needs major work done if it is to be salvaged if that is possible. I am not sure that it is economically viable to so. :(

Sorry to be the carrier of bad news. :(
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem

Unread postby NonSuch » August 18th, 2007, 4:11 am

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27304
Joined: February 23rd, 2005, 7:08 am
Location: California


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 44 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware