MY monitor keeps switching off! Why?

[kel]

Hi...

I'm trying to sort a mates PC system out, can anyone help me please!!

Its running WINDOWS MILLENIUM EDITION ( is that windows 2000?)...

I was told that the system would turn on but go blank prior to the desktop screen stage...

So, I had a go today, thinking that worse comes to worse, I could just install a network card and retrieve data off his hard drive via my indoor network (which didn't work BTW)...or just overwrite with xp sp2 (but theres data to be retrieved first)...

I then realised what he meant, the actual monitor does work ( I tried my own monitor and the same thing happens) but actually shutsdown after the OS load up screen (the system I assume is still running as the fans are still whirring).... so whatever software you may use to boot-up (I tried knoppix v4) is pointless as you can't actually see whats going on...!

I've never come across a problem like this, and ain't sure what the cause is or how to sort it!

I changed the AGP card and monitor to suss the cause, nothing changed.
I ran a RAM check in knoppix (not full)...it passed...
You can stay in BIOS screen for however long you want, the screen stays on...
Same with knoppix....on loadup screens its fine...
As soon as the systems finished loading it seems, the problem occurs...
The system continues to run with the monitor in standby mode..
So i'm guessing that the cause is some virus thats embedded itself....or worse...

Sound familiar? Any ideas?
I'm probably gonna buy a IDE to USB adapter thingy to retrieve the data off his hard disk (several years of music compositions).
(BTW -> I was wondering if ti would be a problem to transfer files of FAT32 format (I'm assumig that WINDOWS ME is FAT32 format) to a NTFS format hard disk? Is this possible?)

But is there a way to sort this without just overwriting and reformatting the system?
Am I missing something obvious?

 

[TECHGUNS]

I think ya have a boot virius dont format yet. Knoppix doesnt boot every PC.

Make a DOS startup disk like ME startup. Ya will have to do this in DOS.

Ya can use Ulimate boot disk also.

http://pcworld.com/downloads/file_description/0,fid,8303,00.asp

Download F-PROT for DOS. Might also be other boot antiviruis that ya can try.

http://www.f-prot.com/download/home_user/

Ya might need to restore the MBR thats the memory chip that has the boot file.

Dual booting PCs can be in trouble if MBR cant be restored. A single OS no problem.

I think Nortons MBR wizzard will work.

http://www.simtel.net/product.download.mirrors.php?id=68928

For technicans DOS isnt dead.

 

[TECHGUNS]

OH Im tryin other Linux live CDs cause Knoppix, doent work on one of my PC that Slax does, but one of my other PCs it the opposite.

Lots of live boot Linux versions now compared to a year ago.

http://www.sysresccd.org/

http://media.linspire.com/cnr_linspirelive/index.html

Lots more.

Ultimate Boot live CD has lots of good stuff on it like Part240, F-prot and MBR recovery.

http://www.topqualityfreeware.com/boot/bootdisk13.html

Since I have removed XP and installed SUSE on my media PC Im going to make a XP live boot CD using Barts PE builder. I want to put partition commander, and all the GPL antipest and PestPatrol corp version, and all the GPL recovery that I can get on it.

http://www.nu2.nu/pebuilder/

I edited this post enough I keep findin Urls.

 

[muckshifter]

What happens in Safe Mode ??

 

[TECHGUNS]

Ya ya didnt tell us if ya tried safe mode.



If this is a desk top sometime its easyer too take the drive out and plug it into another PC newer with IDE cable. Just a little jumper and scewdriver work.

An ASA 66-100 drive will work on a ASA 133 mother board but not the other way.

2003, XP, and 2000 will read fat32.

Then ya can pest scann it, recover files and format it fat32.

Oh ya might still need to reflash MBR with the drive firmware to factory settings before windows intall.

 

[muckshifter]

BOOT IN SAFE MODE

... and tell me what happens.

 

[kel]

I didn't try that!

Yeah, I havn't tried safe mode 'cos its not my pc and i'm unfamiliar with how to boot it into safe mode...

Was it "F3" or something..for WIN ME?

Also, you say its okay to stick the hdd from the problematic pc ( WIN ME) into my pc (WIN XP)...??
Course I would give it a pest scan straight off, but I wasn't sure if the file formats would be readable as they are ( i think) two different systems...fat32 and ntfs...I don't know much about the compatability between these two types...
Anyway, I'm gonna have to try that around Friday...I have other missions to achieve first, but thanks for your responses!!!

I will keep ya updated..

 

[muckshifter]

Press F8 a few times when the PC is booting, then choose safe mode from the list.

ME uses FAT32 your XP uses, or should use, NTFS ... XP can read fat32, just burn the data to a CD ... you will need to make sure the drive 'jumper' is set to slave.

 

[kel]

What now?

I had some spare time, so I set up the problematic ME system and did the SAFE MODE thing...

I think I reached the desktop, but there are no icons at all, just safe mode in each corner of the screen and the mouse pointer...

What now?

Well, I thought I'd dl ultimate boot wizard to try and fix the MBR...
I managed to dig up and dust off an ancient floppy (I never use these anymore!!)...
Tried booting from floppy on the corrupt system.....nope....
So this program (ultimate boot disk) is to be used from within the ME system....there was no explanation of this on the DL page...I cant get to the system, so I can't use it yet...
Okay, next up:

 

[kel]

Progress?

I've made some progress in that after a few attempts of booting up in safe mode into a blank safe mode screen, I then tried booting normally again a few times...

On the last attempt I got the system clock appeared, asking to check if the clock was right...daylight settings etc...

On ctrl+alt+del these are the programs shown running:

Nprotect
Addaf32
Iepv32
Javaxj32
Ipzm32
Winvn
D3nt
Apizk32
Ntks32
Ntwo32
Addae32
Addob32
Atlhw32
Apiuc
Ipnb
Mfcum32
Javacc32
Winrj
Msot
D3bu
Sysbv32
D3zt
Winem
Mfczu
Sysfe32

I don't know if thats any help, maybe you can spot the virus if its in there somewhere?
Problem is what to do now?
The screens still blank (black) with the mouse cursor, but no signs of life at all other than the ctrl+alt+del routine...

 

[TECHGUNS]

I found this one on a Ewido log at this forum.

ntks

http://www.webuser.co.uk/forums/showflat.php?Number=205997

Ewido Security Suite

C:\WINDOWS\SYSTEM32\ntks32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup

With this trojan a hacker can do anything like intall a death to your machine bomb.

http://www.viruslist.com/en/viruses/encyclopedia?virusid=66521


Another from another scanlog.

ipzm

File: c:\WINDOWS\ipzm32.exe
Virus: Trojan:Win32/Agent.BQ Status: Infected

info:

http://www.pctools.com/anti-virus/encyclopedia/virus/Backdoor.Win32.Agent.nj/


I think that I looked enough and dont need to go further.

I think its hacked bad, damaged, ****ed

Even if ya remove the trojans the hacker could have done so much damage to the registry yull never fix it.

 

[TECHGUNS]

If ya can get into safe mode, MBR and the partition is ok.

If ya really need to recover stuff I think yr going to have to plug the drive into another machine and if yr lucky youll see it. easy recovery.

Pest scann the drive 1st so ya dont infect the other machine.

Ya wont like it but ya might have to do this...
If the hacker used something to destroy everything yull have to use a forensic recovery software to get it back. Some free fornesics out there.

If ya really have to go that far I think that I can find some URLs with the free stuff that Ive tryed and works.

I have played with the forensic recovery stuff before ya might not get everything back.

 

[muckshifter]

I had some spare time, so I set up the problematic ME system and did the SAFE MODE thing...

I think I reached the desktop, but there are no icons at all, just safe mode in each corner of the screen and the mouse pointer...

What now?

That at least tells me you probably do not have a hardware problem ... though I will not rule out a hard drive failure/coruption entirely.

However, your system is well and truly screwed ... get what data you can off the system ... If Knoppix cannot help, then the only alternative I see is for you to risk attaching the drive to your system and copying the data off that way ... the risk is you may well get 'infected' if indeed you have some nasties on there ... and then reformat reinstall.

Sorry to say, but data is important, anyone not using some way to copy their data off the system is just waiting for a disaster to happen ... it happens everyday.

Good luck!

 

[TECHGUNS]

1st Update all your antivirus and anti-trojan.

Plug the drive in the PC your recoverin from.

Scan all - all the drives on the PCs with all your anti-pest. I would use at 1 anti-virus least 3 anti-trojans. Becareful scan,scann,scannnn

Now ya can try to recover.

If everything seems deleted use forensic recovery.
recover to a file and then anti-pest scann all the drives again.

Good recovery freeware.

This is the best a Linux forensic recovery that runs with Windows. RLinux
http://www.data-recovery-software.net/Linux_Recovery.shtml

Disk Investigator
http://www.theabsolute.net/sware/dskinv.html

This one will one recover one file at a time but good
http://freeware.it-mate.co.uk/?Editors_Choice&pid=134

I think I used this one a few. Data Unerase
http://www.dirfile.com/edata_unerase.htm


Oh. Knoppix might not run on some older machines, but other live Linux distros for old machine might.

 

[kel]

Thanks guys, seems like I've no choice but to try the hdd swap into my pc to scan and recover...

I'm glad I posted those program names that appeared as running!
I had an idea that there maybe some virus in there but not to that extent!!
I'm suprised I managed to gleam even that considering uptill now we couldn't even get to a desktop screen without the monitor switching off...

 

[kel]

HDD Report!

Have inserted harddrive to my pc and scanning...
Heres what EWIDO found on first scan:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 3:19:27 AM, 12/16/2005
+ Report-Checksum: 4D93AF10

+ Scan result:

F:\_RESTORE\ARCHIVE\FS16.CAB/A0242490.CPY -> Downloader.Small.azk : Cleaned with backup
F:\_RESTORE\ARCHIVE\FS20.CAB/A0244035.CPY -> Downloader.Small.azk : Cleaned with backup
F:\_RESTORE\ARCHIVE\FS20.CAB/A0244037.CPY -> Downloader.Small.azk : Cleaned with backup
F:\WINDOWS\Downloaded Program Files\axfreeaccess.dll -> Dialer.Generic : Cleaned with backup
F:\WINDOWS\addaf32.exe -> Trojan.Agent.bi : Cleaned with backup
F:\WINDOWS\iepv32.exe -> Trojan.Agent.bi : Cleaned with backup
F:\WINDOWS\javaxj32.exe -> Trojan.Agent.bi : Cleaned with backup
F:\WINDOWS\ipzm32.exe -> Trojan.Agent.bi : Cleaned with backup
F:\WINDOWS\winvn.exe -> Trojan.Agent.bi : Cleaned with backup
F:\WINDOWS\d3nt.exe -> Trojan.Agent.bi : Cleaned with backup


::Report End

Gonna scan some more with Bitdefender now...

 

[TECHGUNS]

Ask them if thier IE start page changed on them before this problem happend.

These trojans hook ya by first changing the start page that give them more acess to the machine..

This is why I dont use IE to surf.

If ya help them intall Windows them them you wont do it for them unless they install Mozzila Firefox and make it default, Ewido and your farvorite security freeware.


Oh I know a lot of people say I dont need a Firewall.

A virus ya can usually fix but damage done be a hacker almost unrepairable.

 

[kel]

Yeah, I think I remeber them saying something like that. Their start page changed on them .

They later got a 300 pound phone bill!!!

They were on a dialup connection, so the hackers really took advantage of them.
I gave them the correct software to get protected, but if you don't use the software, its no good!

 

[kel]

Hey I found a Trojan in MY system!

I have been cleaning up my mates HDD, with EWIDO (the reports above)...but I then checked the processes (which I didn't know you could do with EWIDO), and found this:

\??\c:\windows\system32\crss.exe
\??\c:\windows\system32\winlogon.exe

I know that winlogon.exe is a valid application, but why the questionmarks then?

crss.exe is definately a Trojan or Virus...I googled it, but I dont know how to get rid of it!

I have posted a full report here:
http://forums.spywareinfo.com/index.php?showtopic=64243

No harm in asking you aswell is there?

 

[TECHGUNS]

It could be a false positive. I googled "system32\crss.exe"


http://www.neuber.com/taskmanager/process/lsass.exe.html

Did Ewido quarintine it.