Arrogance Punished -OR- The Scourge of thanatoid -OR- I'm "fooqué" (as they say in Montreal)... IOW.

Discussion in 'Computer Support' started by thanatoid, Jul 28, 2010.

  1. thanatoid

    thanatoid Guest

    Well, it took almost 20 years but it finally happened. It's
    amazing what a small batch file (maybe not so small - it has
    vaporized... read on) can do.

    Those bored with my gargantuan posts can just skip over most of
    it (please read the SUMMARY paragraphs), but I would really
    appreciate specific answers to the four numbered questions, as
    well as general advice. (My KF is disabled, so go for it,
    denizens of aforementioned ;-)

    Using Compaq EVO-D510 SFF. One 80GB HD, one CD burner, a riser
    card with two horizontal PCI slots, and (re: a post from a
    couple of months ago) the Compaq BIOS does not allow for more
    than one device per IDE channel, I checked - relevance below.

    I was running 98SELite, as always, using Opera, on two or three
    sites requiring javascript etc. - otherwise I would have been
    using OffByOne and this /probably/ would NOT have happened.

    The firewall was on, of course, but the ESET internet
    monitor/file monitor were /not/, as I do not believe that is
    REALLY necessary - I /may/ have to reconsider that position ;-[

    Script sentry was on, but it does nothing with batch files, just
    scripts of all kinds. And it works great.

    >>>SUMMARY (2 paragraphs)


    So, everything was fine, when all of a sudden my mouse and
    keyboard became possessed.

    Basically, it was like the left and right mouse buttons and Ctl
    and Alt keys were being randomly activated, FAST. I turned off
    the ADSL modem, and ran TaskInfo. There was a batch file in my
    temp (either c:\temp or C:\win\temp) directory which was NOT
    supposed to be there. It was running. I shut down the machine. I
    can't remember the file's exact name, but it was short, 5 or so
    letters, no weird numbers or figures.

    Boring (yet important if you don't want to ask about stuff I
    *already DID*) details:

    When I restarted, the same thing was happening. (And it remains
    the current situation, although one might say the virus is /less
    active/ than it was (as if it had a built-in downward slope).
    But the machine is unusable, plus, while the virus appears
    fairly non-malignant, just annoying (ALL user control is NOT
    affected, you just have to click and move the mouse a lot - and
    fast, to get in between the virus activity bursts) - who knows
    what it will do next? So far my data appears intact [AOT the
    system] but FUD are definitely having a big party at the lair of
    thanatoid at the moment.

    So after the reboot, I ran TaskInfo again - no batch file
    running.

    I searched for batch files on the C: drive and only found the
    few I wrote myself and have always had. /Nothing new./

    I ran Restoration (still the only undelete program that is not
    5-20 MB and actually works BETTER than any of /those/),
    searching for a bat file, nothing. I thought the file might have
    deleted itself after doing whatever it was supposed to do. It
    must have, since it is NOWHERE to be found, deleted or present.

    I rebooted, deleted the swap file in DOS, and rebooted again.
    Virus still active.

    I thought, OK, I'll reboot to XP - XP should be OK, right? Same
    thing. Then I realized XP reads several files on C. Then I tried
    to boot Damn Small Linux into memory, it would not (I /have/
    successfully run it in the past).

    I went back to 98, and, since I just happened to update the ESET
    NOD32 signatures a couple of hours earlier, I ran it. The virus
    seemed to be paused by ESET running, but while ESET scans boot
    sectors and all memory, as well as everything else, it found
    nothing.

    I went back to XP and ran MalwareBytes Anti-Malware (or whatever
    it's called - I only see 8.3 names now...) - nothing on either
    C: or the XP partition. While running MBAM, virus activity
    appeared to pause as well.

    To make a long story a /little/ shorter, I removed the battery,
    cleared the CMOS (several times, different hard- and soft-
    methods), first restored an old saved MBR, then (when that did
    not help) created a new MBR, and finally restored an Acronis
    image after moving current C: data to another partition.

    I should mention that the virus /appears/ inactive in DOS. Well,
    who knows - but nothing weird /seems/ to be happening AFAICT.

    Well, when the restored Acronis image (which I believe contains
    the MBR in the first sector - I am extremely ignorant about some
    basics) exhibited exactly the same behavior, I started thinking
    WHAT the damn thing could have infected ELSEWHERE than the HD...
    Unless it is hidden /somewhere/ and fucks up the MBR every time
    I boot - I don't know much about viruses and what they are
    capable of.

    I tried Damn Small Linux again - this time it DID boot and ran
    in memory...

    Get ready for this...

    Sigh...

    DSL /appeared to exhibit/ - although to a CONSIDERABLY smaller
    degree - a little of the SAME behavior - a DOS-like window
    (whatever they're called in Linux) would highlight some lines of
    the window depending on mouse movement, and I /think/ a menu or
    two popped up without any clicking on my part. And the mouse
    appeared to be malfunctioning. (OTOH, having only ran DSL a
    couple of times before, and for a VERY short period of time, and
    already being in a somewhat altered state of mind, my perception
    /may/ have been mistaken - I don't know.)

    So...

    Having never had to deal with this kind of thing before (I got a
    virus in a POP email once, but it could not do anything, maybe
    because I had all scripting disabled at the time - it was hell
    to remove though), I thought the following:

    >>>QUESTION 1. It could not have messed up the processor -

    first, I do not believe that is /possible/, second, DOS seems to
    run fine.

    >>>QUESTION 2. AFAIK, the level1 and level2 caches clear upon a

    reboot, just like RAM does. I considered whether a batch file
    could alter properties of RAM and stay in it ANYWAY, but I do
    NOT believe that is possible. Also, there are NO RAM cleaning
    utilities on the Hiren's disk which would lead me to believe RAM
    is irrelevant as long as one reboots.

    >>>QUESTION 3. Since I wiped the CMOS/BIOS (I still do NOT

    understand the difference between them, although some people
    have tried to explain to me), and have restored (a few times)
    and then /written/ a new MBR, PLUS restored a perfect Acronis C:
    image, I have NO idea where this damn thing is living.

    I have the option of removing the CD burner, deleting all the
    root files on the /current/ booting 80GB drive ("drive Z") using
    XTreeGold, putting drive Z on the CD drive's IDE channel, and
    putting in my old 40GB ("drive X") on the other - booting - IDE
    channel. (I believe I don't have to physically move the Z drive,
    just deleting all c:\root files will make the machine boot from
    the X drive, but just in case...)

    BUT - since what is happening is quite inexplicable, I am afraid
    of contaminating my X drive. If the virus /is/ somewhere on the
    Z drive, and neither ESET nor AntiMalware can find it, I would
    imagine it is quite capable of infecting the X drive even if the
    computer boots from the X drive and the virus is somewhere on Z
    which one would /think/ would then just contain data - and a
    disabled OS (well, two disabled OS's 98SELite and XPSP3).

    Further infection /might not happen/ if I just use a LFN utility
    in DOS and copy stuff to the other HD, or copy to Flash drives
    using a DOS USB driver from Hiren's, but then again it MIGHT.
    IOW - ATM I am afraid to put the X drive on the other IDE
    channel or use Flash sticks.

    No one likes this kind of stuff, even I am no exception... I am
    VERY seriously considering running BeOS/Haiti or some Linux [for
    all internet access, but ultimately for everything, possibly]
    from a flash stick (fortunately, my BIOS allows booting from a
    USB device) but ATM I am not putting /anything/ in the possessed
    computer.

    [Although - apart from the indignity and misery of being screwed
    and humbled in my arrogance - I have really enjoyed being
    internet-free for a few days... Do y'all think internet use
    might be addictive? ;-#)

    (I spent an enjoyable 6 hours destroying a fourth old phone in
    two years while trying to fix it. Soldering isn't as easy at 55
    as it was at 25... But getting soldering iron /burns/ sure is...
    Fortunately I know about the "run for the freezer and press the
    burn against something at -18° Celsius" instant cure.)]

    But I digress...

    I have /heard/ of viruses which resulted in "the entire computer
    going in the trash" but I am not ready to accept that - although
    I might /have/ to accept it /eventually/.

    >>>QUESTION 4:

    IF the infected computer /is/ history, and I build a new one and
    using a Linux version which can read FAT32 Windows partitions,
    copy various standard format data from the infected HD into
    Linux - I am risk free, aren't I?

    I am sorry this was so long but I thought I might as well
    provide ALL the information I could think of.

    I am writing this on my trusty 1997-built PI 166MHz running 95B
    and sending it via a 33.6 modem.

    I will do some Googling and look around some security sites but
    I thought I might as well humbly ask for suggestions.

    IOW...

    P L E A S E H E L P!

    --
    You know, that viruses never really sleep
    And that hackers never blink their eyes
    And that, you know, cats are the only ones who blush
    And that the fuckin' web... is just to die
    - thanatoid (with /profound/ apologies to Lou Reed)
    thanatoid, Jul 28, 2010
    #1
    1. Advertising

  2. thanatoid <> pinched out a steaming pile
    of<Xns9DC3A257384F2thanexit@81.169.183.62>:

    > Well, it took almost 20 years but it finally happened. It's
    > amazing what a small batch file (maybe not so small - it has
    > vaporized... read on) can do.
    >
    > Those bored with my gargantuan posts can just skip over most of
    > it (please read the SUMMARY paragraphs), but I would really
    > appreciate specific answers to the four numbered questions, as
    > well as general advice. (My KF is disabled, so go for it,
    > denizens of aforementioned ;-)
    >
    > Using Compaq EVO-D510 SFF. One 80GB HD, one CD burner, a riser
    > card with two horizontal PCI slots, and (re: a post from a
    > couple of months ago) the Compaq BIOS does not allow for more
    > than one device per IDE channel, I checked - relevance below.
    >
    > I was running 98SELite, as always, using Opera, on two or three
    > sites requiring javascript etc. - otherwise I would have been
    > using OffByOne and this /probably/ would NOT have happened.
    >
    > The firewall was on, of course, but the ESET internet
    > monitor/file monitor were /not/, as I do not believe that is
    > REALLY necessary - I /may/ have to reconsider that position ;-[
    >
    > Script sentry was on, but it does nothing with batch files, just
    > scripts of all kinds. And it works great.
    >
    > >>>SUMMARY (2 paragraphs)

    >
    > So, everything was fine, when all of a sudden my mouse and
    > keyboard became possessed.
    >
    > Basically, it was like the left and right mouse buttons and Ctl
    > and Alt keys were being randomly activated, FAST. I turned off
    > the ADSL modem, and ran TaskInfo. There was a batch file in my
    > temp (either c:\temp or C:\win\temp) directory which was NOT
    > supposed to be there. It was running. I shut down the machine. I
    > can't remember the file's exact name, but it was short, 5 or so
    > letters, no weird numbers or figures.
    >
    > Boring (yet important if you don't want to ask about stuff I
    > *already DID*) details:
    >
    > When I restarted, the same thing was happening. (And it remains
    > the current situation, although one might say the virus is /less
    > active/ than it was (as if it had a built-in downward slope).
    > But the machine is unusable, plus, while the virus appears
    > fairly non-malignant, just annoying (ALL user control is NOT
    > affected, you just have to click and move the mouse a lot - and
    > fast, to get in between the virus activity bursts) - who knows
    > what it will do next? So far my data appears intact [AOT the
    > system] but FUD are definitely having a big party at the lair of
    > thanatoid at the moment.
    >
    > So after the reboot, I ran TaskInfo again - no batch file
    > running.
    >
    > I searched for batch files on the C: drive and only found the
    > few I wrote myself and have always had. /Nothing new./
    >
    > I ran Restoration (still the only undelete program that is not
    > 5-20 MB and actually works BETTER than any of /those/),
    > searching for a bat file, nothing. I thought the file might have
    > deleted itself after doing whatever it was supposed to do. It
    > must have, since it is NOWHERE to be found, deleted or present.
    >
    > I rebooted, deleted the swap file in DOS, and rebooted again.
    > Virus still active.
    >
    > I thought, OK, I'll reboot to XP - XP should be OK, right? Same
    > thing. Then I realized XP reads several files on C. Then I tried
    > to boot Damn Small Linux into memory, it would not (I /have/
    > successfully run it in the past).
    >
    > I went back to 98, and, since I just happened to update the ESET
    > NOD32 signatures a couple of hours earlier, I ran it. The virus
    > seemed to be paused by ESET running, but while ESET scans boot
    > sectors and all memory, as well as everything else, it found
    > nothing.
    >
    > I went back to XP and ran MalwareBytes Anti-Malware (or whatever
    > it's called - I only see 8.3 names now...) - nothing on either
    > C: or the XP partition. While running MBAM, virus activity
    > appeared to pause as well.
    >
    > To make a long story a /little/ shorter, I removed the battery,
    > cleared the CMOS (several times, different hard- and soft-
    > methods), first restored an old saved MBR, then (when that did
    > not help) created a new MBR, and finally restored an Acronis
    > image after moving current C: data to another partition.
    >
    > I should mention that the virus /appears/ inactive in DOS. Well,
    > who knows - but nothing weird /seems/ to be happening AFAICT.
    >
    > Well, when the restored Acronis image (which I believe contains
    > the MBR in the first sector - I am extremely ignorant about some
    > basics) exhibited exactly the same behavior, I started thinking
    > WHAT the damn thing could have infected ELSEWHERE than the HD...
    > Unless it is hidden /somewhere/ and fucks up the MBR every time
    > I boot - I don't know much about viruses and what they are
    > capable of.
    >
    > I tried Damn Small Linux again - this time it DID boot and ran
    > in memory...
    >
    > Get ready for this...
    >
    > Sigh...
    >
    > DSL /appeared to exhibit/ - although to a CONSIDERABLY smaller
    > degree - a little of the SAME behavior - a DOS-like window
    > (whatever they're called in Linux) would highlight some lines of
    > the window depending on mouse movement, and I /think/ a menu or
    > two popped up without any clicking on my part. And the mouse
    > appeared to be malfunctioning. (OTOH, having only ran DSL a
    > couple of times before, and for a VERY short period of time, and
    > already being in a somewhat altered state of mind, my perception
    > /may/ have been mistaken - I don't know.)
    >
    > So...
    >
    > Having never had to deal with this kind of thing before (I got a
    > virus in a POP email once, but it could not do anything, maybe
    > because I had all scripting disabled at the time - it was hell
    > to remove though), I thought the following:
    >
    > >>>QUESTION 1. It could not have messed up the processor -

    > first, I do not believe that is /possible/, second, DOS seems to
    > run fine.
    >
    > >>>QUESTION 2. AFAIK, the level1 and level2 caches clear upon a

    > reboot, just like RAM does. I considered whether a batch file
    > could alter properties of RAM and stay in it ANYWAY, but I do
    > NOT believe that is possible. Also, there are NO RAM cleaning
    > utilities on the Hiren's disk which would lead me to believe RAM
    > is irrelevant as long as one reboots.
    >
    > >>>QUESTION 3. Since I wiped the CMOS/BIOS (I still do NOT

    > understand the difference between them, although some people
    > have tried to explain to me), and have restored (a few times)
    > and then /written/ a new MBR, PLUS restored a perfect Acronis C:
    > image, I have NO idea where this damn thing is living.
    >
    > I have the option of removing the CD burner, deleting all the
    > root files on the /current/ booting 80GB drive ("drive Z") using
    > XTreeGold, putting drive Z on the CD drive's IDE channel, and
    > putting in my old 40GB ("drive X") on the other - booting - IDE
    > channel. (I believe I don't have to physically move the Z drive,
    > just deleting all c:\root files will make the machine boot from
    > the X drive, but just in case...)
    >
    > BUT - since what is happening is quite inexplicable, I am afraid
    > of contaminating my X drive. If the virus /is/ somewhere on the
    > Z drive, and neither ESET nor AntiMalware can find it, I would
    > imagine it is quite capable of infecting the X drive even if the
    > computer boots from the X drive and the virus is somewhere on Z
    > which one would /think/ would then just contain data - and a
    > disabled OS (well, two disabled OS's 98SELite and XPSP3).
    >
    > Further infection /might not happen/ if I just use a LFN utility
    > in DOS and copy stuff to the other HD, or copy to Flash drives
    > using a DOS USB driver from Hiren's, but then again it MIGHT.
    > IOW - ATM I am afraid to put the X drive on the other IDE
    > channel or use Flash sticks.
    >
    > No one likes this kind of stuff, even I am no exception... I am
    > VERY seriously considering running BeOS/Haiti or some Linux [for
    > all internet access, but ultimately for everything, possibly]
    > from a flash stick (fortunately, my BIOS allows booting from a
    > USB device) but ATM I am not putting /anything/ in the possessed
    > computer.
    >
    > [Although - apart from the indignity and misery of being screwed
    > and humbled in my arrogance - I have really enjoyed being
    > internet-free for a few days... Do y'all think internet use
    > might be addictive? ;-#)
    >
    > (I spent an enjoyable 6 hours destroying a fourth old phone in
    > two years while trying to fix it. Soldering isn't as easy at 55
    > as it was at 25... But getting soldering iron /burns/ sure is...
    > Fortunately I know about the "run for the freezer and press the
    > burn against something at -18° Celsius" instant cure.)]
    >
    > But I digress...
    >
    > I have /heard/ of viruses which resulted in "the entire computer
    > going in the trash" but I am not ready to accept that - although
    > I might /have/ to accept it /eventually/.
    >
    > >>>QUESTION 4:

    > IF the infected computer /is/ history, and I build a new one and
    > using a Linux version which can read FAT32 Windows partitions,
    > copy various standard format data from the infected HD into
    > Linux - I am risk free, aren't I?
    >
    > I am sorry this was so long but I thought I might as well
    > provide ALL the information I could think of.
    >
    > I am writing this on my trusty 1997-built PI 166MHz running 95B
    > and sending it via a 33.6 modem.
    >
    > I will do some Googling and look around some security sites but
    > I thought I might as well humbly ask for suggestions.
    >
    > IOW...
    >
    > P L E A S E H E L P!
    >
    >

    <Nelson Muntz voice mode>

    HA HA!

    Run linux from a usb stick without the hdd hooked up and see if the
    crazy stuff still happens.

    That should give yu som klewz.

    ^_^
    --
    http://www.youtube.com/watch?v=COaoYqkpkUA
    cageprisoners.com|www.snuhwolf.9f.com|www.eyeonpalin.org
    _____ ____ ____ __ /\_/\ __ _ ______ _____
    / __/ |/ / / / / // // . . \\ \ |\ | / __ \ \ \ __\
    _\ \/ / /_/ / _ / \ / \ \| \| \ \_\ \ \__\ _\
    /___/_/|_/\____/_//_/ \_@_/ \__|\__|\____/\____\_\
    §ñühw¤£f, Jul 29, 2010
    #2
    1. Advertising

  3. thanatoid

    thanatoid Guest

    Re: Arrogance Punished -OR- The Scourge of thanatoid -OR- I'm "fooqu? (as they say in Montreal)... IOW... HELP!!!

    Steve <> wrote in
    news::

    > In article <Xns9DC3A257384F2thanexit@81.169.183.62>,
    > lid says...
    > <snip>
    >>
    >> IOW...
    >>
    >> P L E A S E H E L P!

    >
    > Is your mouse usb or ps2?
    >
    > Is your keyboard usb or ps2?


    Both ps2. It's a 2003(IIRC) model. I use an old clicky keyboard
    and an equally old rubber wheel mouse.


    --
    You know, that viruses never really sleep
    And that hackers never blink their eyes
    And that, you know, cats are the only ones who blush
    And that the fuckin' web... is just to die
    - thanatoid (with /profound/ apologies to Lou Reed)
    thanatoid, Jul 29, 2010
    #3
  4. thanatoid

    thanatoid Guest

    §ñühw¤£f <> wrote in
    news:i2r3jp$1o6$-september.org:

    > <Nelson Muntz voice mode>
    >
    > HA HA!
    >
    > Run linux from a usb stick without the hdd hooked up and
    > see if the crazy stuff still happens.
    >
    > That should give yu som klewz.


    I /knew/ something was NOT going to occur to me...

    No - actually it DID, but IIRC the machine "says no HD found"
    and won't boot further, so I didn't try it, also not having a
    way to put Linux on a USB (this machine does not have USB
    working - and it would be more trouble to get it to work than to
    build a new computer).

    But if the USB stick is PREVIOUS to the HD in "boot order", then
    it SHOULD boot, right? Now I only have to wait for the 3 days it
    will take me to DL a Linux distro via a 33.6 modem... JK... I
    know one person who will let me DL/install to USB at his place.

    You /don't/ believe I will be throwing the USB stick in the
    trash, apparently? Please confirm.

    --
    You know, that viruses never really sleep
    And that hackers never blink their eyes
    And that, you know, cats are the only ones who blush
    And that the fuckin' web... is just to die
    - thanatoid (with /profound/ apologies to Lou Reed)
    thanatoid, Jul 29, 2010
    #4
  5. thanatoid

    thanatoid Guest

    Re: Arrogance Punished -OR- The Scourge of thanatoid -OR- I'm "fooqu? (as they say in Montreal)... IOW... HELP!!!

    Steve <> wrote in
    news::

    > In article <Xns9DC4109D58A7Dthanexit@81.169.183.62>,
    > lid says...
    >>
    >> Steve <> wrote in
    >> news::
    >>
    >> > In article <Xns9DC3A257384F2thanexit@81.169.183.62>,
    >> > lid says...
    >> > <snip>
    >> >>
    >> >> IOW...
    >> >>
    >> >> P L E A S E H E L P!
    >> >
    >> > Is your mouse usb or ps2?
    >> >
    >> > Is your keyboard usb or ps2?

    >>
    >> Both ps2. It's a 2003(IIRC) model. I use an old clicky
    >> keyboard and an equally old rubber wheel mouse.

    >
    > Ok, as snuh suggested, disconnect the hard drive and boot a
    > linux distro from a cd or flash drive. Problem is, if I
    > remember correctly, those PCs got part of their boot
    > program off of a hidden partition on the hard drive. Guess
    > where I suspect your virus to be hiding.


    I am using a HD I put in myself - it was bought used, checked
    (took 45 minutes) with a factory cert. software (rated factory
    fresh), and I partitioned and formatted it myself. So I don;t
    /think/ there are no hidden partitions (just 11 regular ones)
    UNLESS the BIOS created one upon the first reboot after
    partitioning/formatting.

    [I HATE brand name machines... but I had NO other option... I
    was lucky to find this used EVO... and *only* at triple the
    price it was selling for in the US the /very same day/...]

    Hmmm... I DO sort of remember reading about that... Again -
    UNLESS the BIOS /creates/ a hidden partition on **any new
    drive** /without the innocent user being aware of it/...

    But if the drive is NEW, ***NOT*** the one that came with the
    machine, how could the BIOS - part of which is ON the original
    factory installed HD - boot **without access** to the then-
    nonexistent "hidden partition"? Chicken-egg thing...

    > Linux doesn't pay much attention to the bios so you should
    > be able to get around the no hard drive problem.


    Actually, there /is/ a weird BIOS setting and it is suggested it
    be changed if using non-Windows OS's, specifically Linux or
    Unix. I have not messed with it, since so far I have only run
    DSL in/from memory...

    I really appreciate your help and still being awake - wherever
    you are...

    I'll try it, but first:

    Can you please confirm that IYO there is NO way the damn thing
    can be anywhere BUT the hard drive? I am afraid of infecting the
    USB stick - it's only ten bucks, but still...

    Also... if the hidden partition exists - and I am willing to
    accept that in SOME bizarre manner it does - is there any way to
    *see* it and destroy it? Like with some program of the kind you
    find on Hiren's buoottsavers?


    --
    You know, that viruses never really sleep
    And that hackers never blink their eyes
    And that, you know, cats are the only ones who blush
    And that the fuckin' web... is just to die
    - thanatoid (with /profound/ apologies to Lou Reed)
    thanatoid, Jul 29, 2010
    #5
  6. thanatoid

    Meat Plow Guest

    Re: Arrogance Punished -OR- The Scourge of thanatoid -OR- I'm"fooqu? (as they say in Montreal)... IOW... HELP!!!

    On Wed, 28 Jul 2010 20:11:02 -0700, Steve wrote:

    > In article <Xns9DC3A257384F2thanexit@81.169.183.62>,
    > lid says...
    > <snip>
    >>
    >> IOW...
    >>
    >> P L E A S E H E L P!

    >
    > Is your mouse usb or ps2?
    >
    > Is your keyboard usb or ps2?


    I doubt he has a mouse.
    Meat Plow, Jul 29, 2010
    #6
  7. thanatoid

    Peter Foldes Guest

    Peter Foldes, Jul 29, 2010
    #7
  8. thanatoid

    Mike Easter Guest

    thanatoid wrote:

    > DSL /appeared to exhibit/ - although to a CONSIDERABLY smaller
    > degree - a little of the SAME behavior


    I don't believe this part of the report is correct. That is, you need
    to boot DSL off the CD again to see for yourself.

    > - a DOS-like window
    > (whatever they're called in Linux) would highlight some lines of
    > the window depending on mouse movement, and I /think/ a menu or
    > two popped up without any clicking on my part. And the mouse
    > appeared to be malfunctioning. (OTOH, having only ran DSL a
    > couple of times before, and for a VERY short period of time, and
    > already being in a somewhat altered state of mind, my perception
    > /may/ have been mistaken - I don't know.)


    I believe that your perception was faulty.

    >>>> QUESTION 1. It could not have messed up the processor -

    > first, I do not believe that is /possible/, second, DOS seems to
    > run fine.


    Malware needs to have a OS to run, such as XP or Win9x.

    >>>> QUESTION 2. AFAIK, the level1 and level2 caches clear upon a

    > reboot, just like RAM does. I considered whether a batch file
    > could alter properties of RAM and stay in it ANYWAY, but I do
    > NOT believe that is possible. Also, there are NO RAM cleaning
    > utilities on the Hiren's disk which would lead me to believe RAM
    > is irrelevant as long as one reboots.


    Correct.

    >>>> QUESTION 3. Since I wiped the CMOS/BIOS (I still do NOT

    > understand the difference between them, although some people
    > have tried to explain to me), and have restored (a few times)
    > and then /written/ a new MBR, PLUS restored a perfect Acronis C:
    > image, I have NO idea where this damn thing is living.


    If it is bootsector, there is 'room' in the bootsector separate from the
    MBR. Most MBR restorers do not zero the entire bootsector; in fact,
    hardly any do that. In order to zero the bootsector, you need to
    specifically and consciously do that under 'direct observation'.

    > I have the option of removing the CD burner, deleting all the
    > root files on the /current/ booting 80GB drive ("drive Z") using
    > XTreeGold, putting drive Z on the CD drive's IDE channel, and
    > putting in my old 40GB ("drive X") on the other - booting - IDE
    > channel. (I believe I don't have to physically move the Z drive,
    > just deleting all c:\root files will make the machine boot from
    > the X drive, but just in case...)


    Instead of doing that, I would use the CD to boot an OS to clean things
    up. You should prove to your mental satisfaction that DSL works
    perfectly fine and you can boot up a Hiren's a do a lot.

    > BUT - since what is happening is quite inexplicable, I am afraid
    > of contaminating my X drive. If the virus /is/ somewhere on the
    > Z drive, and neither ESET nor AntiMalware can find it, I would
    > imagine it is quite capable of infecting the X drive even if the
    > computer boots from the X drive and the virus is somewhere on Z
    > which one would /think/ would then just contain data - and a
    > disabled OS (well, two disabled OS's 98SELite and XPSP3).


    I don't know what your X and Z drives are.

    >>>> QUESTION 4:

    > IF the infected computer /is/ history, and I build a new one and
    > using a Linux version which can read FAT32 Windows partitions,
    > copy various standard format data from the infected HD into
    > Linux - I am risk free, aren't I?


    Don't forget how many different forms Win executables can take; here's a
    list of 45 from A to X
    http://antivirus.about.com/od/securitytips/a/fileextview.htm Executable
    file extensions

    Use a CD to boot, demonstrate to your satisfaction that DSL and Hiren's
    can work, format the HDD, zero the boot sector (by visually examining
    the boot sector's bits with a Hiren's tool), make a brand new boot
    sector, and install the OSes of your choice.


    --
    Mike Easter
    Mike Easter, Jul 29, 2010
    #8
  9. thanatoid

    thanatoid Guest

    Re: Arrogance Punished -OR- The Scourge of thanatoid -OR - I'm "fooqué" (as they say in Montreal).. . IOW... HELP!!!

    "Peter Foldes" <> wrote in
    news:i2rpuh$k99$:

    > multiposted crap. Post the problem instead of the novel
    > Read the following
    >
    > http://www.blakjak.demon.co.uk/mul_crss.htm


    Top posted crap.

    eternalseptember won't let me crosspost. I've tried twice in the
    past and could not, so I didn't bother trying this time.

    4 groups! Please come over and just kill me!!!

    Now, about my problem... I POSTED the problem with *all the
    details* to avoid wasting YOUR and everyone elses's time with
    posts ASKING FOR THOSE DETAILS and for what I did or did not do
    to try and fix the problem.

    If you are too lazy to read a comprehensive post, I suggest you
    go back to watching the Simpsons reruns.

    And if you can't or won't help, please don't bother with top-
    posted attacks EITHER.

    Thank you and have a nice computer.


    --
    You know, that viruses never really sleep
    And that hackers never blink their eyes
    And that, you know, cats are the only ones who blush
    And that the fuckin' web... is just to die
    - thanatoid (with /profound/ apologies to Lou Reed)
    thanatoid, Jul 29, 2010
    #9
  10. thanatoid

    Jordon Guest

    Re: Arrogance Punished -OR- The Scourge of thanatoid -OR - I'm "fooqué" (as they say in Montreal).. . IOW... HELP!!!

    thanatoid wrote:
    > "Peter Foldes"<> wrote in
    > news:i2rpuh$k99$:
    >
    >> multiposted crap. Post the problem instead of the novel
    >> Read the following
    >>
    >> http://www.blakjak.demon.co.uk/mul_crss.htm

    >
    > Top posted crap.
    >
    > eternalseptember won't let me crosspost. I've tried twice in the
    > past and could not, so I didn't bother trying this time.
    >
    > 4 groups! Please come over and just kill me!!!
    >
    > Now, about my problem... I POSTED the problem with *all the
    > details* to avoid wasting YOUR and everyone elses's time with
    > posts ASKING FOR THOSE DETAILS and for what I did or did not do
    > to try and fix the problem.
    >
    > If you are too lazy to read a comprehensive post, I suggest you
    > go back to watching the Simpsons reruns.
    >
    > And if you can't or won't help, please don't bother with top-
    > posted attacks EITHER.


    PF is one taco short of a combo plate.
    Jordon, Jul 29, 2010
    #10
  11. thanatoid

    thanatoid Guest

    Re: Arrogance Punished -OR- The Scour ge of thanatoid -OR- I'm "fooqué" ( as they say in Montreal)... IOW... HELP!!!

    Mike Easter <> wrote in
    news::

    > thanatoid wrote:
    >
    >> DSL /appeared to exhibit/ - although to a CONSIDERABLY
    >> smaller degree - a little of the SAME behavior

    >
    > I don't believe this part of the report is correct. That
    > is, you need to boot DSL off the CD again to see for
    > yourself.


    Yes, I think it was the panic of the moment...

    <SNIP>

    >> VERY short period of time, and already being in a somewhat
    >> altered state of mind, my perception /may/ have been
    >> mistaken - I don't know.)

    >
    > I believe that your perception was faulty.


    Ditto.

    >>>>> QUESTION 1. It could not have messed up the processor -

    >> first, I do not believe that is /possible/, second, DOS
    >> seems to run fine.

    >
    > Malware needs to have a OS to run, such as XP or Win9x.


    First of all, thank you VERY much for actually being helpful
    instead of complaining about multi-posting to 4 groups
    (explained and apologized for many times elsewhere already).

    OK - so there is NO way it has invaded ANY OTHER part of the
    computer except the HD?

    What about the BIOS? (I did remove the battery, but only for
    about 3 minutes IIRC - I just read today one should remove it
    for 15 minutes - and I cleared the BIOS both by pressing the
    button on top (as per Compaq EVO manual) /and/ by using a debug
    routine from Hiren's AND by restoring an old BIOS - several
    times.

    Z and X are:
    Simple code used to identify the 80GB drive IN the computer (Z)
    and the original 40GB drive which I can use for rescue (X).

    I don't want to wipe 80GB's of data on Z - but I have another
    HD, the one that came with the machine (X drive), and can use
    that to copy stuff using DOS from the other HD (Z).

    PERHAPS I can actually use Windows? The infected Z drive will
    not be the boot drive NOR be running the OS - the X drive will -
    so I would think Z would just become a "dead with data"
    drive...?

    Using a LFN DOS utility for the /first time ever/ - on 70 GB's
    of data - /is/ something I would rather avoid...

    So, if I boot from the 40GB hard drive (X) after wiping
    everything in the root of the infected HD (Z), then there is NO
    WAY that the virus will infect the booting X drive?

    Or should I stay in DOS to be safe?

    Or no problem using Windows if I first use PTEDIT to zero the
    whole first sector (I can even format the C: drive, there is no
    /data/ on it, just the OS/software, all the data is on the other
    10 partitions) and then fdisk /mbr?

    I just need a yes or no to those questions, I hope I have
    clarified it now - as much as I am capable of clarifying
    anything...

    <SNIP>

    >> but I do NOT believe that is possible. Also, there are NO
    >> RAM cleaning utilities on the Hiren's disk which would
    >> lead me to believe RAM is irrelevant as long as one
    >> reboots.

    >
    > Correct.


    Thank you.

    >>>>> QUESTION 3. Since I wiped the CMOS/BIOS (I still do NOT

    >> understand the difference between them, although some
    >> people have tried to explain to me), and have restored (a
    >> few times) and then /written/ a new MBR, PLUS restored a
    >> perfect Acronis C: image, I have NO idea where this damn
    >> thing is living.

    >
    > If it is bootsector, there is 'room' in the bootsector
    > separate from the MBR. Most MBR restorers do not zero the
    > entire bootsector; in fact, hardly any do that. In order
    > to zero the bootsector, you need to specifically and
    > consciously do that under 'direct observation'.


    Can you clarify what that means, or comment on the next
    paragraph OR point me to a utility which /will/ wipe the ENTIRE
    first sector, I believe AKA bootsector?

    Is Symantec's PTEDIT32 the one to use? I believe it is on
    Hiren's, and I also just DL'd it. Hiren's has both versions I
    think - I'm not sure if the 32 version will run in DOS... even
    the Win98 DOS...

    I am not sure HOW to fill the first sector with zeros using
    PTEDIT, but hopefully I will figure it out, find instructions,
    or the 'help' section may actually have the info...

    >> I have the option of removing the CD burner, deleting all
    >> the root files on the /current/ booting 80GB drive ("drive
    >> Z") using XTreeGold, putting drive Z on the CD drive's IDE
    >> channel, and putting in my old 40GB ("drive X") on the
    >> other - booting - IDE channel. (I believe I don't have to
    >> physically move the Z drive, just deleting all c:\root
    >> files will make the machine boot from the X drive, but
    >> just in case...)

    >
    > Instead of doing that, I would use the CD to boot an OS to
    > clean things up. You should prove to your mental
    > satisfaction that DSL works perfectly fine and you can boot
    > up a Hiren's a do a lot.


    OK - as above - can I just put in the X drive where the CD
    burner usually sits and boot from IT (X) after wiping the entire
    root of c: on the infected Z drive?

    If I do that, there is NO WAY the X drive will get infected?

    I can't clean up anything with DSL since it runs from the CD in
    memory and does not even know the HD exists, let alone see
    Windows partitions.

    I just DL'd Mint9 (I could NOT connect to puppylinux from my
    friend's computer) and "burned" the ISO to a flash stick but I
    am not sure it will actually boot. (I thought I'd look at the
    NG's first... I will send this and other replies and then try
    it...)

    >> BUT - since what is happening is quite inexplicable, I am
    >> afraid of contaminating my X drive. If the virus /is/
    >> somewhere on the Z drive, and neither ESET nor AntiMalware
    >> can find it, I would imagine it is quite capable of
    >> infecting the X drive even if the computer boots from the
    >> X drive and the virus is somewhere on Z which one would
    >> /think/ would then just contain data - and a disabled OS
    >> (well, two disabled OS's 98SELite and XPSP3).

    >
    > I don't know what your X and Z drives are.


    As above, Z and X are:
    Simple code used to identify the 80GB drive IN the computer (Z)
    and the original 40GB drive which I can use for rescue (X).

    >>>>> QUESTION 4:

    >> IF the infected computer /is/ history, and I build a new
    >> one and using a Linux version which can read FAT32 Windows
    >> partitions, copy various standard format data from the
    >> infected HD into Linux - I am risk free, aren't I?

    >
    > Don't forget how many different forms Win executables can
    > take; here's a list of 45 from A to X
    > http://antivirus.about.com/od/securitytips/a/fileextview.htm
    > Executable file extensions


    I realize there are many. I have had all extensions enabled ever
    since MS made hiding them the default, and I have Total
    Commander set to show /all/ files. It was just a bat file that
    did whatever - it MAY have created something else that now lives
    somewhere else and has one of the 45 (or more?) extensions.

    > Use a CD to boot, demonstrate to your satisfaction that DSL
    > and Hiren's can work, format the HDD, zero the boot sector
    > (by visually examining the boot sector's bits with a
    > Hiren's tool), make a brand new boot sector, and install
    > the OSes of your choice.


    Hiren's DOES work fine, as does DOS (via F5) with the infected
    drive. DSL running in memory can't see or access the HD so it's
    not of much use. But I will run it again just to make sure it
    behaves normally.

    I'm really sorry to be a drag and repeat the question a third
    time - but since I do have another working drive (X), can I just
    make that bootable and copy and backup stuff and THEN zero the
    boot sector, format the whole drive, then fdisk it and partition
    it and THEN restore the good Acronis image (etc.)? Or, as above,
    should I zero the infected drive's bootsector before accessing
    it - /JUST IN CASE/?

    That would be a LOT simpler/more acceptable than either trying
    to run Linux from a Flash stick or destroying over 70 GB of
    data. Once I have the system working, I can make the Mint OR DSL
    on the flash stick bootable somehow, if it isn't already.

    Thanks again for your help and patience, /very much/.

    [I apologize for the repetitions and the info being mixed up - I
    was replying to your various statements at various points/times,
    so this is not a progressively logical (logically progressive?)
    post.]
    thanatoid, Jul 30, 2010
    #11
  12. thanatoid

    Mike Easter Guest

    Re: Arrogance Punished -OR- The Scour ge of thanatoid -OR- I'm "fooqué" ( as they say in Montreal)... IOW... HELP!!!

    thanatoid wrote:
    > Mike Easter


    > First of all, thank you VERY much for actually being helpful
    > instead of complaining about multi-posting to 4 groups


    I didn't see anything other than the 24hshd post.

    > OK - so there is NO way it has invaded ANY OTHER part of the
    > computer except the HD?


    The only way some data can 'travel' from one hdd to another is if the
    two drives are networked insecurely, such as shared and without a pw.
    Naturally it is generally easier to pass from one partition to another
    as they are generally insecurely shared, especially on a Win98 system.

    In order for the network example to work, their needs to be an
    operational operating system running which is configured to insecurely
    network the drives during infection.

    > What about the BIOS?


    It is not practical for something to try to write to the bios. Generally
    the only bios malware is designed to (simply) kill the bios. The only
    (real) kinds of bios malware which are written much about are laboratory
    experimental proof of concept and killers.

    For those who are paranoid about bios security, some bios can be passworded.

    Your bios has some security features, seen in this table/page about the
    3 types of EVO 510

    http://h18000.www1.hp.com/products/quickspecs/11349_div/11349_div.html
    Compaq Evo D500 Desktop Series Evo D510

    > (I did remove the battery, but only for
    > about 3 minutes IIRC - I just read today one should remove it
    > for 15 minutes - and I cleared the BIOS both by pressing the
    > button on top (as per Compaq EVO manual) /and/ by using a debug
    > routine from Hiren's AND by restoring an old BIOS - several
    > times.


    You are more worried about the bios than I would be.

    > Z and X are:
    > Simple code used to identify the 80GB drive IN the computer (Z)
    > and the original 40GB drive which I can use for rescue (X).
    >
    > I don't want to wipe 80GB's of data on Z - but I have another
    > HD, the one that came with the machine (X drive), and can use
    > that to copy stuff using DOS from the other HD (Z).


    Yabbut presumably we are talking about the 80G Z and the 40G X as being
    physically separate hdd/s from whatever is the C drive which we are
    targeting to format and also zero the boot sector, correct?

    Oops. I changed my mind about that presumption; I now think Z and C are
    both on the same 80G drive.

    > PERHAPS I can actually use Windows? The infected Z drive will
    > not be the boot drive NOR be running the OS - the X drive will -
    > so I would think Z would just become a "dead with data"
    > drive...?


    See, I still need a 'picture' of which hdd is which. I want to talk
    about what is a separate physical hdd and what is a partition on which
    physical hdd. I don't have that picture yet from your Z and X
    terminology. I use letters for partitions and usually numbers for
    physical drives. You need to explain it differently than you have so
    far because you are worried about spreading an infection.

    > Using a LFN DOS utility for the /first time ever/ - on 70 GB's
    > of data - /is/ something I would rather avoid...
    >
    > So, if I boot from the 40GB hard drive (X) after wiping
    > everything in the root of the infected HD (Z), then there is NO
    > WAY that the virus will infect the booting X drive?
    >
    > Or should I stay in DOS to be safe?
    >
    > Or no problem using Windows if I first use PTEDIT to zero the
    > whole first sector (I can even format the C: drive, there is no
    > /data/ on it, just the OS/software, all the data is on the other
    > 10 partitions) and then fdisk /mbr?


    Even tho' I don't completely get it yet, I am sensing that the current
    mainly infected C partition is on the 80G physical drive and that drive
    has a lot of partitions. I suspect that all or almost all of those
    partitions were for data and that they were not secure from sharing by
    the Win98 that we are convinced is infected.

    > I just need a yes or no to those questions, I hope I have
    > clarified it now - as much as I am capable of clarifying
    > anything...


    I'm not 100% ready to yes or no until I understand what is potentially
    infected on the 80G drive that I will consider the first physical hdd,
    call it 0 or call it 1.

    >> If it is bootsector, there is 'room' in the bootsector
    >> separate from the MBR. Most MBR restorers do not zero the
    >> entire bootsector; in fact, hardly any do that. In order
    >> to zero the bootsector, you need to specifically and
    >> consciously do that under 'direct observation'.

    >
    > Can you clarify what that means, or comment on the next
    > paragraph OR point me to a utility which /will/ wipe the ENTIRE
    > first sector, I believe AKA bootsector?


    This is the drive with the many partitions if I'm understanding correctly.

    The MBR is 512 bytes before the first partition. If that hdd was
    configured to multiboot XP and W98 and also contain numerous extended
    partitions the information about how that is set up is also in the MBR.

    The MBR has to know where the active partition is. I presume that you
    created this XP/Win9x by using the XP disk with an existing W9x install.

    But I don't want to presume too much.

    When I was thinking about zeroing the MBR I wasn't thinking about all of
    these numerous partitions.

    I'm going to get to the questions I snipped below after you confirm that
    in fact the genuinely infected Win9x partition is the first of many
    partitions on this 80G hdd which has a lot of partitions some of which
    are just data and at least one of which can boot an XP OS.



    --
    Mike Easter
    Mike Easter, Jul 30, 2010
    #12
  13. thanatoid

    Mike Easter Guest

    thanatoid wrote:

    > I thought, OK, I'll reboot to XP - XP should be OK, right? Same
    > thing. Then I realized XP reads several files on C.


    I don't know how you boot into XP but I wouldn't think it would have
    anything to do with the other bootable partition.

    I have one rig that multiboots Win2K and XP and a linux distro.

    The install was Win2k then XP (using Win's bootloader) then the linux
    distro which installed grub. So on boot, the boot manager you see is
    grub with an entry to the win bootloader. If you choose to go that way,
    then the win boot loader shows you the W2k and the XP.

    With that system, whenever I boot into either Win2K or XP, I can see the
    other win partition. In the past, I'm accustomed to one bootable
    partition being hidden from the other bootable partition, so that is why
    I am assuming that your W98 and XP partitions can't see each other.

    That's the reason I bring up the observations with my 2k, xp, linux
    system - to ask the question of whether your w98 and xp partitions are
    'exposed' to each other or not.

    > first restored an old saved MBR,


    That seems like it should solve a problem of infection in the MBR.

    > then (when that did
    > not help) created a new MBR,


    I don't know exactly how that works.

    > and finally restored an Acronis
    > image after moving current C: data to another partition.


    That also sounds like a good plan.

    > Well, when the restored Acronis image (which I believe contains
    > the MBR in the first sector


    No I don't believe so. I believe the Acronis image is an image of the
    *partition* which image is *not* the MBR.




    --
    Mike Easter
    Mike Easter, Jul 30, 2010
    #13
  14. thanatoid

    Mike Easter Guest

    Re: Arrogance Punished -OR- The Scour ge of thanatoid -OR- I'm "fooqué" ( as they say in Montreal)... IOW... HELP!!!

    Mike Easter wrote:

    > See, I still need a 'picture' of which hdd is which.


    After re-reading the first post, I think I understand.

    The 40G hdd is currently removed from the machine in question. The 80G
    hdd is currently divided into many partitions of which one partition
    boots W98 and one partition boots XP and there are numerous others for data.

    The only boot sector check you have made is ESET. The other negative
    scan is MBAM.

    Presumably you have no handy way to burn another boot sector checker
    such as Avira.

    However, you say that you have 'replaced' the MBR with a pre-existing
    one; I'm wondering if instead you merely 'repaired' the MBR. What tool
    did you use to replace the MBR?

    You said that you have a Hiren's, but Hiren's comes in many flavors
    because Hiren's changes often. What is the version # of your Hiren's?


    --
    Mike Easter
    Mike Easter, Jul 30, 2010
    #14
  15. thanatoid

    thanatoid Guest

    Re: Arrogance Punished -OR- The Scour ge of thanatoid -OR- I'm "fooqué" ( as they say in Montreal)... IOW. .. HELP!!!

    Mike Easter <> wrote in
    news::

    > thanatoid wrote:
    >> Mike Easter

    >
    >> First of all, thank you VERY much for actually being
    >> helpful instead of complaining about multi-posting to 4
    >> groups

    >
    > I didn't see anything other than the 24hshd post.


    I didn't cross-post, I multi-posted because - even though the
    terms say nothing about it, on the two VERY UNUSUAL occasions
    when I wanted to cross-post to 3 or so groups, it would not
    accept the posts. So I multi-posted, and this resulted in more
    angry messages and suggestion to KF me - especially in the oh-so
    friendly a.c.virus group.

    >> OK - so there is NO way it has invaded ANY OTHER part of
    >> the computer except the HD?

    >
    > The only way some data can 'travel' from one hdd to another
    > is if the two drives are networked insecurely, such as
    > shared and without a pw. Naturally it is generally easier
    > to pass from one partition to another as they are generally
    > insecurely shared, especially on a Win98 system.


    OK, I /think/ you are saying the infection can NOT pass to my X
    (original) drive. Right?

    UNLESS it's in the CMOS, I guess. I just unplugged the machine
    and removed the battery for about 25 minutes, and the CMOS was
    cleared. The infected (Z) HD is unplugged, both power and IDE
    cable. The "burn" to a flash stick of Linux Mint appears to have
    worked - I just booted, and the green "dos-like: start screen
    menu (regular, compatibility mode - whatever that is - I'M
    NOOOW! - memory test and something else) showed up - I am doing
    memory test while I look at the replies to my latest ramblings.

    > In order for the network example to work, their needs to be
    > an operational operating system running which is configured
    > to insecurely network the drives during infection.


    No networks here. I used to burn CD-RW's to transfer data
    between this 166 MHz and the EVO. Since broadband became cheaper
    than two phone lines, I switched over to the EVO completely. I
    didn't even know if the Win95 machine would work - it works like
    a charm.

    >> What about the BIOS?

    >
    > It is not practical for something to try to write to the
    > bios. Generally the only bios malware is designed to
    > (simply) kill the bios. The only (real) kinds of bios
    > malware which are written much about are laboratory
    > experimental proof of concept and killers.


    OK... Well, I cleared it anyway, and made USB the first in boot
    order, and it seems to work... I'll see (in a little while,
    depending on how hairy it is) whether I can actually get on the
    internet with my BB connection with Mint, see Windows on the
    infected "Z" drive, etc.

    > For those who are paranoid about bios security, some bios
    > can be passworded.


    Every BIOS I've ever seen (only 10-15 computers in all) could be
    passworded (MAYBE not the AMI one, it was a LONG time ago...).
    The Compaq has a little jumper next to the little silver square
    CMOS/BIOS chip (which has a yellow 'reset' button in the middle)
    which is marked "password enable". Remember, for a while you
    could enter ANY Award BIOS (IIRC) by typing 'Award'?

    > Your bios has some security features, seen in this
    > table/page about the 3 types of EVO 510
    >
    > http://h18000.www1.hp.com/products/quickspecs/11349_div/1134
    > 9_div.html Compaq Evo D500 Desktop Series Evo D510


    Yup. It's a good machine - the SFF being the only hindrance to
    full enjoyment - only two drive bays (+floppy) and a stupid
    horizontal riser for 2 PCI cards... But it /is/ small.

    >> (I did remove the battery, but only for
    >> about 3 minutes IIRC - I just read today one should remove
    >> it for 15 minutes - and I cleared the BIOS both by
    >> pressing the button on top (as per Compaq EVO manual)
    >> /and/ by using a debug routine from Hiren's AND by
    >> restoring an old BIOS - several times.

    >
    > You are more worried about the bios than I would be.


    /laughs out loud/

    > Yabbut presumably we are talking about the 80G Z and the
    > 40G X as being physically separate hdd/s from whatever is
    > the C drive which we are targeting to format and also zero
    > the boot sector, correct?


    No. I know, I probably made it more complicated than someone
    normal would have. I REALLY appreciate your patience.

    > Oops. I changed my mind about that presumption; I now think
    > Z and C are both on the same 80G drive.


    Correct.

    >> PERHAPS I can actually use Windows? The infected Z drive
    >> will not be the boot drive NOR be running the OS - the X
    >> drive will - so I would think Z would just become a "dead
    >> with data" drive...?

    >
    > See, I still need a 'picture' of which hdd is which. I want
    > to talk about what is a separate physical hdd and what is a
    > partition on which physical hdd. I don't have that picture
    > yet from your Z and X terminology. I use letters for
    > partitions and usually numbers for physical drives. You
    > need to explain it differently than you have so far because
    > you are worried about spreading an infection.


    OK.

    In the computer now:

    "Z" drive (now called drive 1 - see below): 80GB WD, *infected*,
    with one primary partition divided into booting C: and 10 other
    virt. drives, one of which has the dual-boot XPSP3 installed. I
    used 3 or 4 partition programs from the Hiren's disk and since
    they can hide partitions, /and/ unhide them, I can only assume
    they will /show/ a hidden partition and allow you to unhide it.
    None of them showed any hidden partitions OR unused space.

    So I'm guessing the thing must have moved into the free space in
    bootsector OR one of the "data" partitions - which I did not
    want to check since I have NO idea what the virus may do next.

    On the shelf, ready to be put into the CD burner bay:

    "X" drive (now called drive 2 - see below): 40GB Maxtor, clean,
    had 17 partitions but I can't remember if I wiped the whole
    thing or whether I just left it as it was. In any case, I have
    an Acronis image of the latest C: setup, and if worst comes to
    worst, I will install 98SELite from scratch... I have done it
    MANY times before... Sigh...

    ....Does this explain it? I did my best!

    <SNIP>

    > Even tho' I don't completely get it yet, I am sensing that
    > the current mainly infected C partition is on the 80G
    > physical drive and that drive has a lot of partitions. I
    > suspect that all or almost all of those partitions were for
    > data and that they were not secure from sharing by the
    > Win98 that we are convinced is infected.


    Well, I'm not sure what you mean by "sharing" - there is no
    network except for my broadband connection which has file
    sharing and netBIOS disabled, and the router mfg. firewall as
    well as my Agnitum outpost firewall are always running, and ESET
    with the sigs of 3 hours before disaster struck (which was NOT
    running).

    Of course, being virtual drives in the primary partition of
    which C: is the booter, C: has full access to all of them, and
    it is conceivable the virus installed itself somewhere ELSE than
    on C - I did not scan ALL the 11 partitions, just the booting
    98SELite and XPSP3, and then I was just too freaked out -
    especially since I can only scan AFTER booting into one or the
    other Windows and the virus is ALIVE and who knows what it will
    do next... That's why I haven't entered /either/ of the two
    Windows OS's on it since then, just booted form Hiren's or used
    DOS with XTree Gold which I have installed on drive C.

    >> I just need a yes or no to those questions, I hope I have
    >> clarified it now - as much as I am capable of clarifying
    >> anything...

    >
    > I'm not 100% ready to yes or no until I understand what is
    > potentially infected on the 80G drive that I will consider
    > the first physical hdd, call it 0 or call it 1.


    The Compaq will ONLY hold ONE hard drive - if you want to have a
    CD drive installed - and I do.
    The two IDE channels ONLY accept ONE drive each. I have no idea
    what would happen if I somehow attached a normal two-drive IDE
    cable to the one-drive Compaq cable and tried to boot. Probably
    not worth trying.

    + + +
    newsflash!

    [OK! I'm running LinuxMint 9 off the USB stick! Looks too much
    like XP - I know, I can do whatever I want with it... ;-]

    20 minutes later - while I was writing and checking this post...

    [I opened something called 20041010_1359 (has a 4-floppy icon
    with onefloppy labeled ALL) - it appeared to be afile manager of
    some sort, and it crashed almost immediately, so I rebooted in
    "compatibility mode". We'll see what happens... I am a little
    suspicious of the 20041010_1359 thing - it only appears a couple
    pof minutes AFTER the Mint dekstop appears with the 3 main icons
    and the taskbar.]
    + + +

    I used X and Z so as not to get confused with A and B (floppies)
    - it did NOT occur to me to use numbers (I'm not getting any
    smarter).

    I am thinking of salvaging the data from the apparently "can not
    remove the virus since who knows where it is and neither ESET
    nor MBAM find anything" infected drive number 1 (formerly
    referred to as drive Z) by removing the CD drive and putting in
    the original 40GB Maxtor which is perfectly operational and
    which we will call drive 2 - formerly ref. to as "drive X". Then
    after I wipe the bootsector of the infected drive 1 (I already
    absolutely wiped the BIOS as mentioned above) and delete
    everything in the root of the C: partition, I /assume/ it will
    just be dead storage. I will write a new MBR with fdisk /mbr - I
    did it several times, but for whatever reason it did not work.
    It should now, I will disable the MBR security feature in the
    BIOS - I suspect it may have been reinfecting the new MBRs
    somehow, or that it went in the free space AFTER the MBR. So I
    will zero everything with the Symantec program (or whatever will
    do the job) and write a new MBR. That /should/ do it, right?

    >>> If it is bootsector, there is 'room' in the bootsector
    >>> separate from the MBR. Most MBR restorers do not zero
    >>> the entire bootsector; in fact, hardly any do that. In
    >>> order to zero the bootsector, you need to specifically
    >>> and consciously do that under 'direct observation'.

    >>
    >> Can you clarify what that means, or comment on the next
    >> paragraph OR point me to a utility which /will/ wipe the
    >> ENTIRE first sector, I believe AKA bootsector?

    >
    > This is the drive with the many partitions if I'm
    > understanding correctly.


    Yes.

    > The MBR is 512 bytes before the first partition. If that
    > hdd was configured to multiboot XP and W98 and also contain
    > numerous extended partitions the information about how that
    > is set up is also in the MBR.


    Yes.

    > The MBR has to know where the active partition is. I
    > presume that you created this XP/Win9x by using the XP disk
    > with an existing W9x install.


    Yes.

    > But I don't want to presume too much.


    Feel free. I know it's a little insane over here. MeatPlow
    appears to take /particular/ exception to my fondness for
    partitions.

    > When I was thinking about zeroing the MBR I wasn't thinking
    > about all of these numerous partitions.


    I understood that, you were talking about the bootsector, AKA
    sector 1 /ONLY/. I understand that since it WILL have
    partitions, drive 2 will have to have an MBR but none of the
    partitions marked as booting (or active, or whatever the term
    is). Right?

    > I'm going to get to the questions I snipped below after you
    > confirm that in fact the genuinely infected Win9x partition
    > is the first of many partitions on this 80G hdd which has a
    > lot of partitions some of which are just data and at least
    > one of which can boot an XP OS.


    Above paragraph is /exactly correct/. There is C (and ten other
    partitions/virtual drives) on the 80GB infected drive, ie drive
    1, formerly ref. to as drive "Z". Dual boot: C is 98SELite, E is
    XP.

    Your patience is astounding. I owe you a case of beer - or a
    case of Scotch, or whatever you like.

    t.
    thanatoid, Jul 30, 2010
    #15
  16. thanatoid

    thanatoid Guest

    Re: Arrogance Punished -OR- The Scour ge of thanatoid -OR- I'm "fooqué" ( as they say in Montreal)... IOW. .. HELP!!!

    Mike Easter <> wrote in
    news::

    > Mike Easter wrote:
    >
    >> See, I still need a 'picture' of which hdd is which.

    >
    > After re-reading the first post, I think I understand.
    >
    > The 40G hdd is currently removed from the machine in
    > question. The 80G hdd is currently divided into many
    > partitions of which one partition boots W98 and one
    > partition boots XP and there are numerous others for data.


    Correct.

    > The only boot sector check you have made is ESET. The
    > other negative scan is MBAM.


    Yes.

    > Presumably you have no handy way to burn another boot
    > sector checker such as Avira.


    I don't want to enter into either of the OS's because I have NO
    idea what the damn virus is capable of doing next - like wiping
    the whole drive! That's why I want to make drive 2 'unbootable'
    and remove all the files from the C root, and zero the entire
    bootsector and write a new MBR, and then boot from drive 2 which
    I will put in the CD drive bay for this rescue operation, and
    copy stuff and burn it to CDRs a little at a a time...

    > However, you say that you have 'replaced' the MBR with a
    > pre-existing one; I'm wondering if instead you merely
    > 'repaired' the MBR. What tool did you use to replace the
    > MBR?


    I /think/ used a couple of tools from Hiren's and then fdisk
    /mbr. I will now use the Symantec whatever-it's-called, or one
    of the other tools which will allow me to fill the /entire/
    bootsector with zeros. I may do it a few times just in case -
    unless you tell me that is /absolutely/ unnecessary, than once
    will do it. I will await your instructions. (I don't know which
    time zone you are in nor the hours you keep, so it may not click
    together until tomorrow.)

    > You said that you have a Hiren's, but Hiren's comes in many
    > flavors because Hiren's changes often. What is the version
    > # of your Hiren's?


    I have one which I DL'd about 5 years ago, it has 4, 5, and 6
    and a few other directories, and then I have 9 (IIRC) on a
    TinyXP 09 CD. But all those "rooty" tools are on all of them -
    they are all pre-2003, many late 1990s.
    thanatoid, Jul 30, 2010
    #16
  17. thanatoid

    thanatoid Guest

    Re: Arrogance Punished -OR- The Scour ge of thanatoid -OR- I'm "fooqué" ( as they say in Montreal)... IOW... HELP!!!

    Mike Easter <> wrote in
    news::

    > thanatoid wrote:
    >
    >> I thought, OK, I'll reboot to XP - XP should be OK, right?
    >> Same thing. Then I realized XP reads several files on C.

    >
    > I don't know how you boot into XP but I wouldn't think it
    > would have anything to do with the other bootable
    > partition.


    I installed XP after 98SELite and, strangely enough - for MS - I
    almost did not believe it when I was told (IIRC in this group,
    or m.p.w98.gen-disc) - XP allows you to install it on any
    partition and leave 98 on C.

    It gives you a 2-option boot menu, then it goes to the regular
    9x boot menu if you choose 98, and to the (rather boring) XP
    start screen if you choose XP. I can see all partitions
    whichever OS I run, but I can not run programs installed on the
    XP partition when I booted into 98, and I cannot run 98 programs
    when I boot into XP, obviously.

    All the booting sys and hidden files on C: are replaced by the
    XP installation to allow for this dual-boot operation. At first
    I thought some of THOSE got infected, but the Acronis restore
    would have fixed that. So it's either in the bootsector
    somewhere or on one of the other 9 partitions (I MBAM'd and
    ESET'd C and E). Or it's on C or E, but invisible to /both/ ESET
    and MBAM - which would be a little disheartening.

    > With that system, whenever I boot into either Win2K or XP,
    > I can see the other win partition. In the past, I'm
    > accustomed to one bootable partition being hidden from the
    > other bootable partition, so that is why I am assuming that
    > your W98 and XP partitions can't see each other.


    No, both systems see the entire HD perfectly, and in fact I had
    to scan the C drive (98SELite) from XP since MBAM only runs on
    XP and up.

    I guess C remains the booting partition even if you choose to go
    into XP, after which point it becomes irrelevant. Or not.

    > That's the reason I bring up the observations with my 2k,
    > xp, linux system - to ask the question of whether your w98
    > and xp partitions are 'exposed' to each other or not.


    Yes, I can see/access the entire HD from both OS's.

    >> first restored an old saved MBR,

    >
    > That seems like it should solve a problem of infection in
    > the MBR.


    One would think. But the BIOS said something about MBR
    incorrect, press [something] to restore, then I restored the old
    one AGAIN from a floppy backup, but WHO knows what actually
    ended up in the bootsector, or whether it was 'intercepted' and
    fubared. Zeroing it SHOULD do it, as I understand it.

    [What I /don't/ understand is why everyone is so paranoid about
    the MBR, since ever time I have ever used 'fdisk /mbr' (and I
    /have/ used it before), on /whatever/ machine, it always booted
    perfectly afterwards, I never lost the partitions or anything. I
    don't get it. But I suppose it's another subject, and I am
    abusing your good will as it is.]

    >> then (when that did
    >> not help) created a new MBR,

    >
    > I don't know exactly how that works.


    Well, after the BIOS complained, I used something from Hiren's
    to (presumably) wipe the MBR, and then 'fdisk /mbr'. (IIRC.)
    It's a little fuzzy - it's been two or three days and I usually
    can't remember what I did /yesterday/.

    > > and finally restored an Acronis
    >> image after moving current C: data to another partition.

    >
    > That also sounds like a good plan.


    Lemme tell you, when the system was STILL infected after the
    Acronis restore, I realized I was in TROUBLE. It was NOT the
    greatest computing moment in my life - but BION, I HAVE had
    worse.

    >> Well, when the restored Acronis image (which I believe
    >> contains the MBR in the first sector

    >
    > No I don't believe so. I believe the Acronis image is an
    > image of the *partition* which image is *not* the MBR.


    from the PDF:

    "Partition images include all its files and folders,
    irrespective of their attributes (hidden, system, etc.), Master
    Boot Record (MBR), File Allocation Table (FAT), and a root
    directory (Root).

    Acronis TrueImage Deluxe software stores only the data sectors
    of a hard disk in its partition image."

    I guess this means it does NOT store/restore the MBR, right? I
    didn't know that - but then again I've never had a virus before.

    I guess since the MBR /stores the partition info/ it CAN NOT be
    /inside a partition/.

    [Deep sigh.]

    Well, this makes things a little clearer. It would seem the
    virus IS in the bootsector, whether in the MBR or the 'free'
    space of the bootsector. OR - it's on any one (or more) of the
    other partitions ***and*** undetectable by MBAM and ESET. [!]
    thanatoid, Jul 30, 2010
    #17
  18. thanatoid

    thanatoid Guest

    Re: Arrogance Punished -OR- The Scourge of thanatoid -OR- I'm "fooqu? (as they say in Montreal)... IOW... HELP!!!

    Steve <> wrote in
    news::

    > In article <Xns9DC41A10133D2thanexit@81.169.183.62>,
    > lid says...


    <SNIP>

    >> I'll try it, but first:
    >>
    >> Can you please confirm that IYO there is NO way the damn
    >> thing can be anywhere BUT the hard drive? I am afraid of
    >> infecting the USB stick - it's only ten bucks, but
    >> still...

    >
    > I've seen viruses on CD/DVDs but I doubt you have burned
    > the virus to one of them.


    No, after I failed to get rid of the virus, I have not booted
    into either 98 or XP (let alone made an ISO file and burned it
    to a CD), I have only used Hiren's and DOS on C (using XTreeGold
    to do stuff).

    > I'm 99.99 percent sure your virus is only inhabiting hard
    > drives.


    OK. Mike seems positive it can not be inside the BIOS - and I
    have wiped it clean several times by now. I will fill the entire
    bootsector with zeros and boot from the 2nd (original, currently
    on the shelf) HD and use it to copy stuff from the infected
    drive, after which I will totally zap the infected drive several
    times using all the tools I can find around here, and then
    either use it or not...
    (BION I find 80GB a little too much to deal with... 40GB was
    just fine... I have NO idea WHY I got the used 80GB drive 1 or 2
    years ago...)

    >> Also... if the hidden partition exists - and I am willing
    >> to accept that in SOME bizarre manner it does - is there
    >> any way to *see* it and destroy it? Like with some program
    >> of the kind you find on Hiren's buoottsavers?

    >
    > Yes, but again I don't think that is your problem.


    I ran 3 or 4 partition managers from Hiren's and none showed any
    hidden partitions or "suspicious" unused space.

    > Mike Easter is giving you some good help and he's here a
    > lot more than I am.


    Both of you have been extremely kind, and it is greatly
    appreciated.

    > If it was my machine, I'd get your hard drive onto a Linux
    > machine that can run antivirus programs like Clam AV
    > against the infected hard drive, pull all the data that I
    > didn't want to lose off of it.


    I don't know anyone who has a Linux machine. My other two
    computers are too old to run a modern Linux.

    > Reformat it to ext3, then
    > reformat again to your windows partitions <FAT32 or what
    > ever you're using> and reinstall windows from media that
    > has passed virus scans.. That should kill any hiding
    > viruses.


    If you read the "Mike Easter" parts of the thread, you will see
    I am intending to do something very similar with the original HD
    which came with the Compaq - for reasons I have forgotten, I
    decided to get an 80GB HD and put less partitions on it than I
    had on the original 40GB HD...

    > Or The Flying Spaghetti Monster is telling you that here is
    > your opportunity to move to Linux.


    It sure as heck is...

    See my reply to Mike... Mint is running on the infected machine
    from a flash stick - with the HD disconnected. But I am busy
    replying to you guys, so I have nothing to report yet.

    Thanks again for your help.
    thanatoid, Jul 30, 2010
    #18
  19. thanatoid

    Mike Easter Guest

    Re: Arrogance Punished -OR- The Scour ge of thanatoid -OR- I'm "fooqué" ( as they say in Montreal)... IOW... HELP!!!

    thanatoid wrote:
    > Mike Easter


    > OK - so there is NO way it has invaded ANY OTHER part of the
    > computer except the HD?


    I agree with Steve that the hdd is the only place that is infected, but
    from what I've heard, that includes every partition on that hdd and the
    mbr which is not on any of the partitions.

    So, the problem is going to be how to salvage the data found on all of
    the partitions without retaining the infectious agent in some obscure
    form, such as a weirdly named executable - recall how many executable
    extensions I posted earlier. Not all of those are 'realistic', but the
    problem is that a great many of them are.

    It would be very very helpful in the salvaging of the data if you had
    some antimalware which could see this infection template.

    > I don't want to wipe 80GB's of data on Z -


    I understand that problem, but we haven't found out how to disinfect it yet.

    > but I have another
    > HD, the one that came with the machine (X drive), and can use
    > that to copy stuff using DOS from the other HD (Z).


    I wouldn't get too hasty to copy anything. Currently the 40 is not
    infected and the 80 is infected. When you start copying things, you
    open the potential to infect the other drive.

    What we would like is to be able to start installing an operating system
    on a disk that has been wiped clean including all sectors ie the boot
    sector. But before we polish that 80G disk, we have to figure out how
    to deal with the data considering that we can't id the infecting agent
    which may be 'mixed' among any directory in any partition and places -
    one place - that are not in the partitions.

    > PERHAPS I can actually use Windows? The infected Z drive will
    > not be the boot drive NOR be running the OS - the X drive will -
    > so I would think Z would just become a "dead with data"
    > drive...?


    Personally I would rather be trying to sanitize the drive without
    running windows, but it could also be done with windows.

    > So, if I boot from the 40GB hard drive (X) after wiping
    > everything in the root of the infected HD (Z), then there is NO
    > WAY that the virus will infect the booting X drive?


    I wouldn't say 'no way' - but if you chose to disable the optical in
    favor of booting the 40 hdd so that you could run the OS on that drive,
    you would presumably be running an uninfected OS.

    The fact that this infection 'crossed over' and infected the XP
    partition on the 80 hdd makes it a very formidable threat - a clever design.

    > Or should I stay in DOS to be safe?
    >
    > Or no problem using Windows if I first use PTEDIT to zero the
    > whole first sector (I can even format the C: drive, there is no
    > /data/ on it, just the OS/software, all the data is on the other
    > 10 partitions) and then fdisk /mbr?


    When you take out the MBR on the 80, you are going to make it very
    difficult to salvage the data on the partitions. The main structure -
    locations - of the partitions is stored in the MBR.

    > I just need a yes or no to those questions, I hope I have
    > clarified it now - as much as I am capable of clarifying
    > anything...


    I would really really like it if we could find something to recognize
    this problem's template. Else I don't see any way you are going to be
    able to copy any data from the 80G hdd to anything else.

    >>> I have NO idea where this damn
    >>> thing is living.


    Me either.

    <snip questions about zeroing the MBR>

    If you zero the MBR, as I initially thought about, you will 'disengage'
    your ability to locate the data on the partitions.


    > OK - as above - can I just put in the X drive where the CD
    > burner usually sits and boot from IT (X) after wiping the entire
    > root of c: on the infected Z drive?


    You are thinking that you can wipe out the C partition and you will be
    clean, but we already know that this infection is also in the XP
    partition and can assume that it is all over the 80G hdd - including
    'nonpartition' space, ie the MBR.

    > I can't clean up anything with DSL since it runs from the CD in
    > memory and does not even know the HD exists, let alone see
    > Windows partitions.


    Actually DSL can see the hdd - you just have to mount the drive - but I
    don't remember what kinds of antimalware DSL has.

    The good news about DSL is that is frisky running in ram; its limitation
    is that we don't know how well stocked it is with AV. In some ways,
    Hiren's might be better than DSL.

    I really wish we could see this infection problem with something.

    I should crank up a DSL and see how it is rigged. This one is 4.4.1. I
    don't see any AV stuff on DSL like Puppy has. Puppy changed a lot from
    4.3.1 to 5.0.1. I'll look at puppy after while; you don't have it anyway.

    >>> BUT - since what is happening is quite inexplicable, I am
    >>> afraid of contaminating my X drive.


    Correct. At this time you should consider the entire 80G drive
    contaminated and any Win OS which can see that drive can infect any
    other drive the Win OS can see.

    > It was just a bat file that
    > did whatever - it MAY have created something else that now lives
    > somewhere else and has one of the 45 (or more?) extensions.


    Correct

    > DSL running in memory can't see or access the HD so it's
    > not of much use. But I will run it again just to make sure it
    > behaves normally.


    DSL can see the hdd if you mount the hdd, but DSL doesn't have any AV
    tools in its native condition. That I can see in the DSL I have 4.4.1

    > I'm really sorry to be a drag and repeat the question a third
    > time - but since I do have another working drive (X), can I just
    > make that bootable and copy and backup stuff and THEN zero the
    > boot sector, format the whole drive, then fdisk it and partition
    > it and THEN restore the good Acronis image (etc.)? Or, as above,
    > should I zero the infected drive's bootsector before accessing
    > it - /JUST IN CASE/?


    You are assuming that it is safe to 'back up' the data you have, but
    since we don't know what this agent is or how it works or how to
    disinfect it from your 80G drive, the entire drive should be considered
    to be infected by the same mechanism that infected the XP partition
    which wasn't running at the time of the W98 infection.

    I just booted puppy 5.0.1. It doesn't have any AV natively either.

    Until you can disinfect your entire 80G hdd, I don't see how you can use
    any of the data. We don't know how this thing works and how it managed
    to cause your XP to become infected which wasn't running at the time of
    the W98 infection.

    Then, if you consider the MBR to be infected, you can't remedy that
    without 'practically' destroying your access to all of the data on the
    80G partitions. Recovering the data without the partition tables and
    FATS would be near impossible.

    --
    Mike Easter
    Mike Easter, Jul 30, 2010
    #19
  20. thanatoid

    Mike Easter Guest

    Re: Arrogance Punished -OR- The Scour ge of thanatoid -OR- I'm "fooqué" ( as they say in Montreal)... IOW... HELP!!!

    Steve wrote:

    > Perhaps this can help?
    >
    > http://thepcsecurity.com/virus-scan-boot-disk-from-avira/
    >
    > "Avira AntiVir Rescue System is a Linux-based application that allows
    > accessing computers that cannot be booted anymore. Thus it is
    > possible to:
    >
    > 1. repair a damaged system,
    > 2. rescue data,
    > 3. scan the system for virus infections."


    Yes I like the Avira boot disk idea a lot.

    It is part of a popular strategy mentioned in a.c.f alt.comp.freeware.
    Some time ago someone in acf described a game plan involving the Avira
    disk which helpful post (I thought) I had saved somewhere or other :)-/).



    --
    Mike Easter
    Mike Easter, Jul 30, 2010
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. stuart

    Arrogance!!!!

    stuart, May 9, 2004, in forum: Computer Support
    Replies:
    48
    Views:
    1,511
  2. stuart

    Arrogance!!!!

    stuart, May 10, 2004, in forum: Computer Support
    Replies:
    2
    Views:
    495
    michael turner
    May 10, 2004
  3. Rich
    Replies:
    0
    Views:
    386
  4. thanatoid
    Replies:
    0
    Views:
    501
    thanatoid
    Mar 29, 2007
  5. RichA
    Replies:
    31
    Views:
    805
    peter
    Oct 1, 2010
Loading...

Share This Page