|
|
|
|
| Author |
Message |
dyf
Guest
|
 Posted: Sun Aug 27, 2006 5:29 am Post subject: Need help on clearing CMOS and whatever memory on the mother |
 |
|
Hi, I am really frustrated by the virus, which has infected 5 computers for
the past half year.
It infected hard drive's MBR and boot sector, apprently it is able to hide
itself somewhere on the board and corrupt the bios.
For 2 of infected PCs, I managed to flash the bios(K7SEM, and tyan s1854),
it didn't work out.
I had the bios chips reprogrammed with a electronic programmer. I put them
back on the boards, while no hard drive connected, they corrupted the bios
right away.
I took out the bios chips and had them reprogrammed again. I reset the CMOS
and took out the battery, DRAMs for more than 2 days, too.
So my questions are:
1) Are there any other memories on the board that I need to clean, such as
CMOS, completely?
2) If this is not the best place to ask such kind of question, which
newsgroup or forum on the net would be a better one?
Any idea, any kinds of help is greatly appreciated.
Derrick |
|
| Back to top |
|
 |
|
|
Davy
GURU
Joined: 30 Apr 2005
Posts: 1862
Location: Nr Manchester. UK
|
| Posted: Mon Aug 28, 2006 12:50 am Post subject: Re: Need help on clearing CMOS and whatever memory on the mo |
|
|
Just to confirm you have posted correctly so no problem here.
Some virsuses can be memory resident usually ram related, bios can be corrupted as well even by the power supply unit, faulty power leads or the plain ol' back up battery, whether you get viruses resident in the bios or not I can't say, meaning to say viruses that use bios as a form of ram that loads into ram or hard disc.
One way to damage a hard disc is to close down as normal and then immediately shut the power off completely as the computer is shutting down while ' saving your settings', usually you go into 'scan disc' in hard drive properties and reload the system files to rectify this when it won't boot up, if you are unlucky the MBR can become damaged.
The more you boot up the longer it will take to boot up... now this needs thinking about a little while...! You booted up without success the 5th time... XP will have saved that faulty setting 5 times as when you shut down XP saves your last settings.... so when you come to boot up it will search for a good known boot - and it won't be the last five.
This had been proven to me, you get the Welcome screen with the blue bar moving across and you just sit and wait..... while XP finds the last good setting that worked - this can take a good ten minutes or so depending on how many times you shut down before Windows has fully booted.
As you may be aware, there are boot viruses knocking about to which could make a hard drive useless and a reformat necessary.
Trouble is XP Windows reformat is only good for a brand new hard drive.... reformatting a used drive will leave 'footprints' like walking in the snow and is only a single pass affair..... what you think is a clean hard drive an expert could easily pull useful data from it after a XP reformat... if you want a clean hard drive you are better using 'Killdisk' (for want of a name - there are others about) which does more than one pass .... and can easily take a day or two to complete.
For five computers to be affected does sound to me like a MBR boot virus and not bios related.
Davy |
|
| Back to top |
|
|
pjp
Guest
|
| Posted: Mon Aug 28, 2006 9:54 am Post subject: Re: Need help on clearing CMOS and whatever memory on the mo |
|
|
Why do you feel they're infected, e.g. what's happening after bios
reprogram?
I off-hand can't think of any means by which any virus would withstand chip
reprogramming. The bios doesn't "go outside itself" in the sense of load
auxilary software except for add-on bios', e.g. video card's, scsi card, nic
and perhaps some other add-on cards and I assume their bios is locked in the
sense of it's on a non-reprogrammable chip. To my knowledge it's not until
bios looks for and loads then gives control to OS (presumably) from hard
disk, floppy, cd etc. that it becomes susceptable (booting over network etc.
as exception).
"dyf" <dyuefeng@gmail.com> wrote in message
news:397Ig.17580$365.10337@edtnps89...
| Quote: | Hi, I am really frustrated by the virus, which has infected 5 computers
for
the past half year.
It infected hard drive's MBR and boot sector, apprently it is able to hide
itself somewhere on the board and corrupt the bios.
For 2 of infected PCs, I managed to flash the bios(K7SEM, and tyan s1854),
it didn't work out.
I had the bios chips reprogrammed with a electronic programmer. I put them
back on the boards, while no hard drive connected, they corrupted the bios
right away.
I took out the bios chips and had them reprogrammed again. I reset the
CMOS
and took out the battery, DRAMs for more than 2 days, too.
So my questions are:
1) Are there any other memories on the board that I need to clean, such
as
CMOS, completely?
2) If this is not the best place to ask such kind of question, which
newsgroup or forum on the net would be a better one?
Any idea, any kinds of help is greatly appreciated.
Derrick
|
|
|
| Back to top |
|
|
dyf
Guest
|
| Posted: Wed Aug 30, 2006 7:46 am Post subject: Re: Need help on clearing CMOS and whatever memory on the mo |
|
|
Thank you very much for your knowlegeable advices.
I believe you are right that the bios was clean after reprogramming, but
unfortunately I didn't clear the cmos before plugging it in.
What happened was, while it was in the middle of booting process I realized
the cmos wasn't clean (may inlcude some other memories on the board in
addition to cmos), therefore I interupted the booting process, turned off
the system, reset the jumper to clear cmos, started the system again, the
virus symptom appeared (didn't recognized any hard drive in slave mode and
other weird things). The bios was taken out to compare with the original
image on the chip programmer, and was found that the bios was modified by
someting that was residing on the board, not hard drive.
The bios chip was re-programmed, and I am hoping that I can clear the board
completely before the bios is put back in.
Any idear to help understand the memories on mother board is very
appreciated.
dyf
"pjp" <pjpoirier_is_located_at_@_hotmail_._com> wrote in message
news:vGuIg.2672$9u.46624@ursa-nb00s0.nbnet.nb.ca...
| Quote: | Why do you feel they're infected, e.g. what's happening after bios
reprogram?
I off-hand can't think of any means by which any virus would withstand
chip
reprogramming. The bios doesn't "go outside itself" in the sense of load
auxilary software except for add-on bios', e.g. video card's, scsi card,
nic
and perhaps some other add-on cards and I assume their bios is locked in
the
sense of it's on a non-reprogrammable chip. To my knowledge it's not until
bios looks for and loads then gives control to OS (presumably) from hard
disk, floppy, cd etc. that it becomes susceptable (booting over network
etc.
as exception).
"dyf" <dyuefeng@gmail.com> wrote in message
news:397Ig.17580$365.10337@edtnps89...
Hi, I am really frustrated by the virus, which has infected 5 computers
for
the past half year.
It infected hard drive's MBR and boot sector, apprently it is able to
hide
itself somewhere on the board and corrupt the bios.
For 2 of infected PCs, I managed to flash the bios(K7SEM, and tyan
s1854),
it didn't work out.
I had the bios chips reprogrammed with a electronic programmer. I put
them
back on the boards, while no hard drive connected, they corrupted the
bios
right away.
I took out the bios chips and had them reprogrammed again. I reset the
CMOS
and took out the battery, DRAMs for more than 2 days, too.
So my questions are:
1) Are there any other memories on the board that I need to clean, such
as
CMOS, completely?
2) If this is not the best place to ask such kind of question, which
newsgroup or forum on the net would be a better one?
Any idea, any kinds of help is greatly appreciated.
Derrick
|
|
|
| Back to top |
|
|
Paul
Guest
|
| Posted: Fri Sep 01, 2006 4:16 am Post subject: Re: Need help on clearing CMOS and whatever memory on the mo |
|
|
In article <wabJg.18648$395.2914@edtnps90>, "dyf" <dyuefeng@gmail.com> wrote:
| Quote: | Thank you very much for your knowlegeable advices.
I believe you are right that the bios was clean after reprogramming, but
unfortunately I didn't clear the cmos before plugging it in.
What happened was, while it was in the middle of booting process I realized
the cmos wasn't clean (may inlcude some other memories on the board in
addition to cmos), therefore I interupted the booting process, turned off
the system, reset the jumper to clear cmos, started the system again, the
virus symptom appeared (didn't recognized any hard drive in slave mode and
other weird things). The bios was taken out to compare with the original
image on the chip programmer, and was found that the bios was modified by
someting that was residing on the board, not hard drive.
The bios chip was re-programmed, and I am hoping that I can clear the board
completely before the bios is put back in.
Any idear to help understand the memories on mother board is very
appreciated.
|
As "pjp" says, add-in cards have BIOS also. The BIOS chip on
a video card can be reflashed, and that is a potential spot
for a virus to live. For example, when my computer that contains
a Nvidia FX5200 starts up, there is a BIOS message printed on the
screen, and the message is from code contained in the BIOS chip
on the FX5200 card. And there are people who understand how to
patch video card BIOSes, so it is not a far-fetched possibility
for someone to write a virus that "lives" in a video card. Other
add-in cards are also possible virus vectors, but for a virus
writer, video cards have a high likelyhood of being found in
your average computer, so they make an excellent place to store
a virus. And if the access features and programming methods are
the same, between different models of video cards, the virus
writer probably doesn't have to work too hard to make a virus
that can attack a whole family of video card types.
Perhaps repeat your experiment again. Remove the AGP or PCI
Express video card. Install an old PCI video card (the older
the better). Reprogram the main motherboard BIOS chip. Use
the clear CMOS jumper. Then start up the system and see if the
virus symptoms are still there. If the virus symptoms have
disappeared, then you'll have to be real careful with your
video card. To reflash the video card BIOS, you might need a
different platform - people who flash video cards, use Macintoshes
and PCs, and perhaps reflashing the video card while it is
plugged into an (AGP based) Macintosh, would be one way to fix
it.
In terms of the main motherboard BIOS, be aware that when
you program the BIOS chip, the DMI and ESCD segments are
blanked. The first time the BIOS POSTs, the BIOS computes
new contents for DMI/ESCD, and those areas of the
BIOS image will change. Thus, when you later use a BIOS
tool to make a backup copy of the current contents of the
BIOS chip, there will be an area in the high address end
of the BIOS chip that will have been modified.
To check for a virus, you'd want to do a delta between
the main BIOS code modules, and the Boot Block. On an
Award BIOS, the main BIOS code modules are delimited by
"-lh5-", as each module is LHA compressed. On an AMI
BIOS, they use a different scheme, and the only tool
I can use on those is MMTool to extract and uncompress
the individual modules. A typical BIOS might have 8 to
20 modules for the main BIOS. The Boot Block code, is
intended for recovery from a bad BIOS flash, and that is
yet another area a virus could hide. The Boot Block is
not delimited in the same way as the main BIOS code
modules, and even tools like MMTool generally don't
treat the Boot Block as a module.
So I hope you are not mistaking changes to DMI/ESCD, as
evidence of a virus. The BIOS image is self-modifying,
on the first and subsequent POSTs, depending on changes
to the hardware inventory of the computer.
Paul
| Quote: |
dyf
"pjp" <pjpoirier_is_located_at_@_hotmail_._com> wrote in message
news:vGuIg.2672$9u.46624@ursa-nb00s0.nbnet.nb.ca...
Why do you feel they're infected, e.g. what's happening after bios
reprogram?
I off-hand can't think of any means by which any virus would withstand
chip
reprogramming. The bios doesn't "go outside itself" in the sense of load
auxilary software except for add-on bios', e.g. video card's, scsi card,
nic
and perhaps some other add-on cards and I assume their bios is locked in
the
sense of it's on a non-reprogrammable chip. To my knowledge it's not until
bios looks for and loads then gives control to OS (presumably) from hard
disk, floppy, cd etc. that it becomes susceptable (booting over network
etc.
as exception).
"dyf" <dyuefeng@gmail.com> wrote in message
news:397Ig.17580$365.10337@edtnps89...
Hi, I am really frustrated by the virus, which has infected 5 computers
for
the past half year.
It infected hard drive's MBR and boot sector, apprently it is able to
hide
itself somewhere on the board and corrupt the bios.
For 2 of infected PCs, I managed to flash the bios(K7SEM, and tyan
s1854),
it didn't work out.
I had the bios chips reprogrammed with a electronic programmer. I put
them
back on the boards, while no hard drive connected, they corrupted the
bios
right away.
I took out the bios chips and had them reprogrammed again. I reset the
CMOS
and took out the battery, DRAMs for more than 2 days, too.
So my questions are:
1) Are there any other memories on the board that I need to clean, such
as
CMOS, completely?
2) If this is not the best place to ask such kind of question, which
newsgroup or forum on the net would be a better one?
Any idea, any kinds of help is greatly appreciated.
Derrick
|
|
|
| Back to top |
|
|
Fix your Windows Problems - FAST.
FREE Safe Scan Registry Check. Locate & Fix Errors in Minutes!
|
|
dyf
Guest
|
| Posted: Sat Sep 02, 2006 5:20 am Post subject: Re: Need help on clearing CMOS and whatever memory on the mo |
|
|
Thanks a lot for you help and I will do more experiments and see what happen
next.
I really appreciate it.
dyf
"Paul" <nospam@needed.com> wrote in message
news:nospam-3108062221240001@192.168.1.178...
| Quote: | In article <wabJg.18648$395.2914@edtnps90>, "dyf" <dyuefeng@gmail.com
wrote:
Thank you very much for your knowlegeable advices.
I believe you are right that the bios was clean after reprogramming, but
unfortunately I didn't clear the cmos before plugging it in.
What happened was, while it was in the middle of booting process I
realized
the cmos wasn't clean (may inlcude some other memories on the board in
addition to cmos), therefore I interupted the booting process, turned off
the system, reset the jumper to clear cmos, started the system again, the
virus symptom appeared (didn't recognized any hard drive in slave mode
and
other weird things). The bios was taken out to compare with the original
image on the chip programmer, and was found that the bios was modified by
someting that was residing on the board, not hard drive.
The bios chip was re-programmed, and I am hoping that I can clear the
board
completely before the bios is put back in.
Any idear to help understand the memories on mother board is very
appreciated.
As "pjp" says, add-in cards have BIOS also. The BIOS chip on
a video card can be reflashed, and that is a potential spot
for a virus to live. For example, when my computer that contains
a Nvidia FX5200 starts up, there is a BIOS message printed on the
screen, and the message is from code contained in the BIOS chip
on the FX5200 card. And there are people who understand how to
patch video card BIOSes, so it is not a far-fetched possibility
for someone to write a virus that "lives" in a video card. Other
add-in cards are also possible virus vectors, but for a virus
writer, video cards have a high likelyhood of being found in
your average computer, so they make an excellent place to store
a virus. And if the access features and programming methods are
the same, between different models of video cards, the virus
writer probably doesn't have to work too hard to make a virus
that can attack a whole family of video card types.
Perhaps repeat your experiment again. Remove the AGP or PCI
Express video card. Install an old PCI video card (the older
the better). Reprogram the main motherboard BIOS chip. Use
the clear CMOS jumper. Then start up the system and see if the
virus symptoms are still there. If the virus symptoms have
disappeared, then you'll have to be real careful with your
video card. To reflash the video card BIOS, you might need a
different platform - people who flash video cards, use Macintoshes
and PCs, and perhaps reflashing the video card while it is
plugged into an (AGP based) Macintosh, would be one way to fix
it.
In terms of the main motherboard BIOS, be aware that when
you program the BIOS chip, the DMI and ESCD segments are
blanked. The first time the BIOS POSTs, the BIOS computes
new contents for DMI/ESCD, and those areas of the
BIOS image will change. Thus, when you later use a BIOS
tool to make a backup copy of the current contents of the
BIOS chip, there will be an area in the high address end
of the BIOS chip that will have been modified.
To check for a virus, you'd want to do a delta between
the main BIOS code modules, and the Boot Block. On an
Award BIOS, the main BIOS code modules are delimited by
"-lh5-", as each module is LHA compressed. On an AMI
BIOS, they use a different scheme, and the only tool
I can use on those is MMTool to extract and uncompress
the individual modules. A typical BIOS might have 8 to
20 modules for the main BIOS. The Boot Block code, is
intended for recovery from a bad BIOS flash, and that is
yet another area a virus could hide. The Boot Block is
not delimited in the same way as the main BIOS code
modules, and even tools like MMTool generally don't
treat the Boot Block as a module.
So I hope you are not mistaking changes to DMI/ESCD, as
evidence of a virus. The BIOS image is self-modifying,
on the first and subsequent POSTs, depending on changes
to the hardware inventory of the computer.
Paul
dyf
"pjp" <pjpoirier_is_located_at_@_hotmail_._com> wrote in message
news:vGuIg.2672$9u.46624@ursa-nb00s0.nbnet.nb.ca...
Why do you feel they're infected, e.g. what's happening after bios
reprogram?
I off-hand can't think of any means by which any virus would withstand
chip
reprogramming. The bios doesn't "go outside itself" in the sense of
load
auxilary software except for add-on bios', e.g. video card's, scsi
card,
nic
and perhaps some other add-on cards and I assume their bios is locked
in
the
sense of it's on a non-reprogrammable chip. To my knowledge it's not
until
bios looks for and loads then gives control to OS (presumably) from
hard
disk, floppy, cd etc. that it becomes susceptable (booting over network
etc.
as exception).
"dyf" <dyuefeng@gmail.com> wrote in message
news:397Ig.17580$365.10337@edtnps89...
Hi, I am really frustrated by the virus, which has infected 5
computers
for
the past half year.
It infected hard drive's MBR and boot sector, apprently it is able to
hide
itself somewhere on the board and corrupt the bios.
For 2 of infected PCs, I managed to flash the bios(K7SEM, and tyan
s1854),
it didn't work out.
I had the bios chips reprogrammed with a electronic programmer. I put
them
back on the boards, while no hard drive connected, they corrupted the
bios
right away.
I took out the bios chips and had them reprogrammed again. I reset the
CMOS
and took out the battery, DRAMs for more than 2 days, too.
So my questions are:
1) Are there any other memories on the board that I need to clean,
such
as
CMOS, completely?
2) If this is not the best place to ask such kind of question, which
newsgroup or forum on the net would be a better one?
Any idea, any kinds of help is greatly appreciated.
Derrick
|
|
|
| Back to top |
|
|
|
|
| |
Watched Topics
Search
Register
Log in to check your private messages
Profile
Log in
Memberlist
Usergroups