What to do about a persistent virus?

[clh333]

I'll post this question elsewhere as it pertains to more recent hardware and OS than is germane to the VCF but I know there will be someone here who has an interest, and maybe even a suggestion for how to handle this problem: I have come to the conclusion that I have a BIOS infection on an ABIT KW7 (socket 7 Athlon) motherboard. Here's why: Every attempt I have made to install or update any anti-virus software or definitions update has been unsuccessful.

The machine was built from components around 2005 but I replaced the motherboard a few years ago. I installed Windows XP Pro and ran the machine very little until recently when I hooked it up to make use of its FDDs. In the process I updated a few things, including the AVG anti-virus that had last been updated in 2015. That's when things started going sideways.

The short version of the long story is that not only was I unable to update AVG, but no other anti-virus or anti-malware software has run successfully, either. I wiped the disk (booted Killdisk from a CD and rewrote with zeroes) and reinstalled XP; same story. Wiped again and installed WIN7 this time. All of the hundreds of updates from Microsoft installed successfully, except for the Defender anti-virus update.

I downloaded the manual update of Defender definitions; it halted upon invocation. I tried running in safe mode; no success. Every attempt halted upon execution of the code.

Finally I downloaded Windows Defender Offline, which is a bootable CD with executable and virus definitions on board. The computer, which has often booted from CD in the past, started reading the CD, posted a message "Cannot locate BOOT_MGR" and proceeded to boot from the HD once more.

The only possibility I can think of now is that the BIOS itself (Award BIOS 6.00) is harboring code that intercepts BIOS calls and compares the file name to a list. My next move would be to re-flash the BIOS with an update, but if I do I will eradicate whatever is there without knowing what it was. At least, that's the way it seems to me.

Anyone who has been through this and solved it or has a suggestion for what to try next, I'd welcome your input. Thanks!

-CH-

 

[Stone]

Try booting from a CD, e.g., a Windows installation disk, with the HD disconnected.

 

[Trixter]

The only possibility I can think of now is that the BIOS itself (Award BIOS 6.00) is harboring code that intercepts BIOS calls and compares the file name to a list. My next move would be to re-flash the BIOS with an update, but if I do I will eradicate whatever is there without knowing what it was. At least, that's the way it seems to me.

That is extremely unlikely -- which is why I suggest you do it, so that you can quickly eliminate that as the source of your trouble.

My gut feeling is that there is a component-level failure on the board, actually.

 

[clh333]

That is extremely unlikely -- which is why I suggest you do it, so that you can quickly eliminate that as the source of your trouble.

My gut feeling is that there is a component-level failure on the board, actually.

Thanks for your suggestions. As lengthy as my OP was I left out or condensed several days of trial and error.

My first suspect component was the Tenda wireless USB adapter. I have used them on several machines, but this one seemed to have slow throughput and once or twice I thought I saw an alien IP mentioned - not the usual 192.168.xx.xx. I removed the adapter, uninstalled the driver and utility and let Windows take over the connection. Unfortunately Windows could not furnish / find a driver so I had to reinstall the Tenda driver. After reinstall things worked well again, though.

The machine has a second Abit board that I bought from a Craig's List poster. The fact that the first board failed could point to an internal fault, but what component would fail in such a way that only one class of program would fail on installation or invocation? Up to the point of the Defender Offline boot I had wiped and reloaded the OS twice (first a reinstall of XP, second a new install of Win7), run diagnostic utilities (Smith Micro Check-it latest version), and installed and de-installed several drivers and utilities, all without incident. Yet every time I would try to install or update an anti-virus or anti-malware program it would fail.

The machine was a dual-boot machine with RH Fedora 21 on a separate HD. None of these problems occurred running Linux. (I have removed the Linux drive for now.)

Under XP the usual error message would be a "division by zero, execution halted" type message. Later I also saw "Dr. Watson failed to start" or "Windows Explorer failed to start". After installing Win7 I went through a lengthy spate of Windows Updates (about 160 in all). The only one that was unsuccessful was Windows Defender antivirus definitions for 2/18. Tried three times, the third after all other updates had succeeded. An included update was to IE11, and the first time IE ran it offered a "tune-up" of Internet settings, including the installation of Windows Defender. Once again the update of definitions caused a halt to the install.

The Windows Defender Offline CD was written on another Win7 machine that I am reasonably sure is clean. (I do not employ a home network; I do not employ file or printer sharing and each machine connects to a wireless router / cable modem - Netgear 8 DS 4 US - through WPA2-PSK.) The DVD drive in the Abit machine has been used to boot and / or install FreeDOS, Linux, MS-DOS 6.22, Killdisk, XP and Win7. As far as I can tell it is working well, and after the WDO boot failure on the Abit I tried the disk in the other Win7 machine, where it originated, and booted normally.

Before I flash the BIOS I am going to try one other tactic: There is a Linux-based version of a self-booting anti-malware program that reportedly can scan the Windows drive from Linux. I'll try that first.

Thanks again,

-CH-

 

[KC9UDX]

Have you tested your RAM?

 

[SomeGuy]

That is what I am thinking too. Give the board a test with memtest86, perhaps a CPU burn-in test with Prime95, and something to check the disk I/O. Most software will survive for a while when a few bits get flipped, but anti-virus programs are much more aggressive in their resource usage and (hopefully) have more internal integrity checks. Random crashes in Explorer or Dr. Watson also suggest something the specific applications.

 

[Stone]

Try booting from a CD, e.g., a Windows installation disk, with the HD disconnected.

The machine was a dual-boot machine with RH Fedora 21 on a separate HD. None of these problems occurred running Linux. (I have removed the Linux drive for now.)

Sure sounds like the Windows HD, itself is the culprit, here.

Have you tried another HD for Windows or have you persisted with the same (possibly infected) drive over and over again?

My money's on a Boot Sector problem or more specifically a Rootkit.

Try DBAN.

 

[clh333]

I have spent the time since I last posted downloading live CD anti-virus applications (WDO, AVG, Dr.Web) and one Linux install, ClamAV. I reattached the Linux HD and disconnected the Win7 HD to perform the install of ClamAV, then rebooted and ran a scan of the Windows directory. The program found > 750 "potentially dangerous" programs, but without a way to delete en masse I gave up after deleting about 100 of them individually.

After another power-down I detached the Linux drive, reattached the Win7 and booted from the AVG CD. The AVG live disk uses a flavor of Linux as its OS. It could see the HD but as its virus defs were from 2016 and as the OS could not get my WiFi connection established I gave up on that.

I tries the WDO again and this time it booted - sorta. It went right into some investigation of the HD (DVD and HD lights flickered, but the screen was blank. Eventually I got the message in Pic 1 below. I cancelled the dialog and the program proceeded to display the Defender update screen, which I have seen before, telling me the defs were out of date (Pic 2). Now, I downloaded the defs along with the app yesterday so I don't know why it needed an update, but it tried and failed, again because no WiFi (Pic 3).

My next attempt is with another live CD, this one from Dr.Web (whose web page is in English and Russian... I'm wondering about this one...) whose OS is another Linux flavor but at least has allowed me to connect to the router and download the current defs. I started it on a system-wide, find-everything scan just now. I'll check back after the Super Bowl.

The app I used to wipe the disk is called Killdisk and I have used it successfully before: There was this one time I was involved in a lawsuit, and.. Well, that's another story. AFAIK it wipes everything. Here is their site: http://www.killdisk.com/ I may well have a rootkit but so far it's been my equal. My best guess was that the BIOS had been tweaked to intercept and replace the MBR address or the MBR had been redirected to load something before everything else. I'd love to find out how this thing works.

Haven't ruled out hardware, though. Still trying to figure out what else to do to diagnose that.

Thanks again for everyone's suggestions.

-CH-

Pics:

 

[Stone]

This problem is not something Windows Defender can help you with. This is out of Defender's league.

You really need to try another HD to verify that it's not a hardware (as in motherboard) issue.

 

[Trixter]

Haven't ruled out hardware, though. Still trying to figure out what else to do to diagnose that.

Reflash your BIOS.

 

[clh333]

Ran the live-boot CD AV and scanned everything: nothing found. Removed all cards except video and uninstalled / replaced the Tenda adapter with another (Netis WF-2109) brand. Re-ran WD defs update, failed (pic below), then downloaded manual update of defs, failed as soon as invoked (pic below).

I will re-flash the BIOS next and if that doesn't solve the problem I will switch HDs to one that has never been attached to this machine.

Thanks again for all your suggestions.

-CH-

 

[Stone]

I will re-flash the BIOS next and if that doesn't solve the problem I will switch HDs to one that has never been attached to this machine.

Based on system priorities, I would perform these two functions in the reverse order.

 

[clh333]

Based on system priorities, I would perform these two functions in the reverse order.

Looks like I will have to do that anyway: I am unable to flash the BIOS.

First problem is that the manufacturer, Abit, a Taiwanese company, is out of business. Their web site has been archived but my board and BIOS are not listed. I located and downloaded drivers, supposedly for my board, from third-party sites and attempted to update the BIOS, but ran into an "Insufficient memory" error (pic below).

The procedure I followed was to download the .exe file on this Win7 machine and transfer the .exe (about 256k) to a 1.4 Mb FD which had been pre-formatted on a DOS machine. I started the Abit from the FreeDOS v.1 live CD and booted to an A: prompt. With my 1.4 FD in place I switched to B: where I extracted the archived files, a couple of BAT files, the .BIN file, the flash executable and a readme file. Following the readme I ran the "RUNME.bat" file which executed but finished with the "insufficient memory" message (pic below).

I have the Abit Drivers CD that came with the original board. In a folder there is the original Award flash utility, but no BIOS image. I tried that utility with the same results.

Pictured below is the BIOS chip and the system info highlighting the BIOS version. I'm not sure whether I have the wrong version of the BIOS update (I tried V15 and V11 for the KW7). It may be that the later versions were for a larger BIOS IC. Alternately I may be following the wrong procedure. A third possibility is that the .BIN file, which appears to be compressed, can not be extracted on the floppy.

So after all of this I guess I try another drive.

Thanks again,

-CH-

 

[Stone]

Here's my overall opinion in a nutshell:

1) You can't hurt your machine by switching the HD. Additionally, you might even learn something.

2) You can surely brick it by screwing around with the BIOS, especially if that's not something you are very familiar with.

 

[SomeGuy]

If you have not already done so, RUN MEMTEST! Flashing a BIOS while you have faulty RAM can result in an unbootable system!

How much memory does Freedos report as available? I am not familiar with their live CD, but it probably loads extra drivers that may eat up memory. Does it have an option for a minimal boot? That is odd, as Freedos almost lives for BIOS flashing.

How about instead just hunting down a normal MS-DOS 6.x or Win9x 1.44m boot floppy, open it in WinImage, delete all files except IO.SYS, MSDOS.SYS, COMMAND.COM and HIMEM.SYS. Create a CONFIG.SYS text file with just the line "DEVICE=HIMEM.SYS", then copy in your BIOS flash tools. Write that image to a floppy and boot from it. If it does the same thing then there is something horribly wrong with that board.

 

[Stone]

...Flashing a BIOS while you have faulty RAM can result in an unbootable system!...

That's one way and there are many others.

 

[clh333]

1) You can't hurt your machine by switching the HD. Additionally, you might even learn something.

It's all about learning something. I don't need the machine; I just want to find out what's going on. That's why I'm grateful for others' input.

2) You can surely brick it by screwing around with the BIOS, especially if that's not something you are very familiar with.

Always a risk, and wouldn't be the first time I've rendered something useless. But I do have the original board with the identical BIOS and presumably can fall back on that.

-CH-

 

[clh333]

RUN MEMTEST!

Will do.

How much memory does Freedos report as available? I am not familiar with their live CD, but it probably loads extra drivers that may eat up memory. Does it have an option for a minimal boot? That is odd, as Freedos almost lives for BIOS flashing.

The Award BIOS reports 3 Gb (3144704) as a result of a memory test on boot. FreeDOS' 1.0 MEM command reports 3144280k total memory, divided as follows: 634k conventional, 48k upper, reserved 342k, extended 3,143,256k, with FreeDos resident in high memory. A screen shot is shown below. I have five options when the live CD boots, one of which is to install to the HD, one to run from the CD with drivers for extended / expanded memory and another one is to run from the CD with no drivers installed at all.

How about instead just hunting down a normal MS-DOS 6.x or Win9x 1.44m boot floppy, open it in WinImage, delete all files except IO.SYS, MSDOS.SYS, COMMAND.COM and HIMEM.SYS. Create a CONFIG.SYS text file with just the line "DEVICE=HIMEM.SYS", then copy in your BIOS flash tools. Write that image to a floppy and boot from it. If it does the same thing then there is something horribly wrong with that board.

I will try that and let you know what happens. Thanks for your suggestions.

-CH-

 

[glitch]

As others have said, I'd suspect bad RAM is way more likely than a BIOS-resident virus. My vote is also for memtest86+

 

[clh333]

One pass through memtest86, no errors:



-CH-