jamesvmoore
Technical User
This is a tough one! I have picked up something nasty and so far no anti-virus / anti-trojan I have tried detects it. I think that this hides in either the flash memory of the BIOS, or the flash memory of the Network Card - I don't think that an ATA controller could hide malicious code in its firmware.
Basic Info: AMD 750 Processor, AOPEN AK72 MotherBoard with latest BIOS, Promise ATA 100 PCI Controller, 3COM 3c905B-TX PCI NIC, SB16 PCI, Maxtor 45 GB HDD and new 256 SDRAM and later a known good but used 512 MB SDRAM, connected highspeed via cable/fiber optic running Windows 98SE with latest updates, ZoneAlarm and Norton AV.
Symptoms:
I first noticed that a .tmp file composed of mostly high (above 128) ASCII and control characters appears in my c:\windows\temp directory, it is referenced in the wininit.ini file its name starts with ~EF####.tmp (where # is any integer) - it is locked against deletion.
After a reboot or shutdown then a new file named ~DC####.tmp (where # is any integer) composed of mostly high (above 128) ASCII and control characters appears in my c:\windows\temp directory this file is mostly composed of a character that looks like a 'y' with 2 dots (umlot y?) over it and regular text that says R O O T E N T R Y. This file is also locked against deletion.
When restarted 2 instances of RUNDLL appear in the Task Manager - as seen via CTRL-ALT-DEL, they can be clicked on but END TASK will only cause them to restart. This does not occur if started in safe mode.
Things I have tried:
I have done a fdisk / mbr, fdisk, format and re-install of Win98se, the install will complete after scandisk supposedly fixes the drive mis-reporting its size. The same symptoms reappear shortly after installing all of the correct motherboard and device drivers.
I used the hard disk manufacturer's tools to low-level format the entire drive (write completely to zeros). Re-installing Win98se, the symptoms are back. After another lowlevel format using Symantec GDISK to write the whole drive to zeros I have tried to install Windows 2000 Professional from CD, if I attempt to format NTFS that will fail, if I use a pre-existing FAT32 partition the install only makes it to the first real Windows 2000 screen that detects hardware, this will go 70% and then the entire screen will turn black with backwards white commas.
After letting the CMOS BIOS go cold, no power - no battery, then flashing the BIOS to 1.00 and back again to 1.11 I re-attempted installing using a completely new hard disk in the same PC with the same results, Windows 2000 asks for the Promise ATA Card driver if I connect the drive to that and can't format the disk or fails at the detect hardware if the hard disk is already formatted. Using the built in IDE controller gets the same results sans the need to F6 to specify the ATA card. Windows 98 SE can install but displays the scandisk fix. Both Windows install CDs work fine on other computers.
I have tried this on the original hard disk, a clean hard disk only used for data storage, and a new hard disk direct from the manufacturer. After this happens to a hard disk, it is not cleanable via floppy disk virus scan - nothing is ever detected and it will always mis-report its size to Win98 but will allow install if 'fixed', will not allow Win2000 to format NTFS or finish installing.
I put a second clean PC on my network, behind a hardware firewall, also running Norton AV and ZoneAlarm and it developed the exact same symptoms within a week, I have been very good about not swapping diskettes or burned CD's back and forth between these PC's, so I can rule our .
Once infected I am pretty sure that this somehow hides from the file system on the hard disk or changes the drive geometry.
Whatever this is, it can survive a zero-fill format of the hard disk, and even re-appears after the installation of a new hard disk on the same machine. I am almost certain that it was delivered through my Internet connection because it appeared on a clean PC plugged into the firewall. Curiously, on the new hard disk install, I had not even plugged the network cable into the PC and still developed the mysterious .tmp files.
Sorry for the lenght of this posting and I would appreciate any advice or assistance that can be offered.
Basic Info: AMD 750 Processor, AOPEN AK72 MotherBoard with latest BIOS, Promise ATA 100 PCI Controller, 3COM 3c905B-TX PCI NIC, SB16 PCI, Maxtor 45 GB HDD and new 256 SDRAM and later a known good but used 512 MB SDRAM, connected highspeed via cable/fiber optic running Windows 98SE with latest updates, ZoneAlarm and Norton AV.
Symptoms:
I first noticed that a .tmp file composed of mostly high (above 128) ASCII and control characters appears in my c:\windows\temp directory, it is referenced in the wininit.ini file its name starts with ~EF####.tmp (where # is any integer) - it is locked against deletion.
After a reboot or shutdown then a new file named ~DC####.tmp (where # is any integer) composed of mostly high (above 128) ASCII and control characters appears in my c:\windows\temp directory this file is mostly composed of a character that looks like a 'y' with 2 dots (umlot y?) over it and regular text that says R O O T E N T R Y. This file is also locked against deletion.
When restarted 2 instances of RUNDLL appear in the Task Manager - as seen via CTRL-ALT-DEL, they can be clicked on but END TASK will only cause them to restart. This does not occur if started in safe mode.
Things I have tried:
I have done a fdisk / mbr, fdisk, format and re-install of Win98se, the install will complete after scandisk supposedly fixes the drive mis-reporting its size. The same symptoms reappear shortly after installing all of the correct motherboard and device drivers.
I used the hard disk manufacturer's tools to low-level format the entire drive (write completely to zeros). Re-installing Win98se, the symptoms are back. After another lowlevel format using Symantec GDISK to write the whole drive to zeros I have tried to install Windows 2000 Professional from CD, if I attempt to format NTFS that will fail, if I use a pre-existing FAT32 partition the install only makes it to the first real Windows 2000 screen that detects hardware, this will go 70% and then the entire screen will turn black with backwards white commas.
After letting the CMOS BIOS go cold, no power - no battery, then flashing the BIOS to 1.00 and back again to 1.11 I re-attempted installing using a completely new hard disk in the same PC with the same results, Windows 2000 asks for the Promise ATA Card driver if I connect the drive to that and can't format the disk or fails at the detect hardware if the hard disk is already formatted. Using the built in IDE controller gets the same results sans the need to F6 to specify the ATA card. Windows 98 SE can install but displays the scandisk fix. Both Windows install CDs work fine on other computers.
I have tried this on the original hard disk, a clean hard disk only used for data storage, and a new hard disk direct from the manufacturer. After this happens to a hard disk, it is not cleanable via floppy disk virus scan - nothing is ever detected and it will always mis-report its size to Win98 but will allow install if 'fixed', will not allow Win2000 to format NTFS or finish installing.
I put a second clean PC on my network, behind a hardware firewall, also running Norton AV and ZoneAlarm and it developed the exact same symptoms within a week, I have been very good about not swapping diskettes or burned CD's back and forth between these PC's, so I can rule our .
Once infected I am pretty sure that this somehow hides from the file system on the hard disk or changes the drive geometry.
Whatever this is, it can survive a zero-fill format of the hard disk, and even re-appears after the installation of a new hard disk on the same machine. I am almost certain that it was delivered through my Internet connection because it appeared on a clean PC plugged into the firewall. Curiously, on the new hard disk install, I had not even plugged the network cable into the PC and still developed the mysterious .tmp files.
Sorry for the lenght of this posting and I would appreciate any advice or assistance that can be offered.
