my aunt sent me a laptop to fix with for her. It would begin post but reset upon the end of the post. she called support and they told her it'd need a new $300 motherboard [for this 3 year old laptop] so she sent it to me. the computer opens by first loading a ramdrive asigned to A: so i got it to boot to a command prompt safe mode and DIR the A:. it contains some files and the edit.com is german. i reviewed some of the stuff in there , 75% dos stuff 25% virus files, all total a 500k space, with a 500k free listed [if that helps anyone]

i noted some references in some of the files to the C:. so i wiped out the C: drive, deleted its partition. i have also put on the latest bios, which flashing the bios during that so no virus could be in the bios memory.

then got a bootdisk from Win98 to work, which through this virus, was now under the B: assignment, so i deleted all files in the A: ramdrive. then reset the computer , which had a clean bios and no partitions on the hardrive. but suprise! the virus still resets the computer apon boot. I looked, and yep the files in this A: ram drive are still there. where could they exist???

a computer with no paritions and a new bios has a virus stored quite literaly in no-where.

another note: when i went in the bios and disabled the HD, the ramdrive did not being, it booted to a "no OS found" screen. yet when re-enabling the HD, it continued with the ram-drive showing me the virus seems to be located on the HD, but how, when it has no partitions? yes i tried creating a new partition and then format /s C: but that didnt fix anything.

Well, first of all, you better hope you did not flash the BIOS with an infected floppy.

Next, since you seem unfamiliar with DOS, get a boot disk which does not have the ramdisk and all that clutter. Things get confusing enough without that.

Spend an hour or two studying this:

http://www.hexff.com/win98_install.php

It may BE a bad mobo. It wouldn't hurt to get a second opinion.

M2

Mechanix2@Golden-Triangle.com

the floppy was clean and created on another computer that is clean and protected by an updated AV.

thanks for the link ill read around

i still fail to see how this could relate to a motherboard issue, as the virus resides somewhere within this computer i just cant figure out where. does anyone know how how files could stored on a HD that has no paritions?

There could be virus in the partition table.

Try this:

fdisk /mbr

If no joy, you may need a partition wipe, which I have.

M2

Just how, exactly, are you determining that you have a virus?

Never argue with an idiot. They will only bring you down to their level and beat you with experience

Report Offensive Follow Up For Removal

ill give the fdisk /mbr thing a try, and i determined i have one by the fact that there is a ramdrive being executed apon boot-up that no one setup, all files from the OS were wiped out, and in this ramdrive theres a batch file with a code telling to computer to restart on bootup.

None of that sounds indicative of virus to me.

A (temporary) ramdrive is created by some startup disks as a normal part of the process, as well, a small utility to reboot the computer is not unexpected. I believe you're pursuing an imaginary enemy.

Never argue with an idiot. They will only bring you down to their level and beat you with experience

Report Offensive Follow Up For Removal

well i sure would feel like an idiot if i was, however what other purpose could such a program serve? also when you delete these files they return apon start up. what kind of purposeful program would prevent itself from being removed?

It's not my intention to make you feel like an idiot, but many folks seem to suspect virus whenever something occurs that they can't immediately explain.

"what kind of purposeful program would prevent itself from being removed?"

Not quite clear on your meaning, but System and other important files will set various DOS 'attributes' which prevent them from being casually deleted.

If you are running from a bootdisk, I'd imagine everything is happening as it should. You're starting in DOS, a temporary drive is created in memory and a number of files are unpacked from the floppy to the ram drive, all in accordance with the instructions present in config.sys & autoexec.bat.

Never argue with an idiot. They will only bring you down to their level and beat you with experience

Report Offensive Follow Up For Removal

if this helps any i'll list the files on this ramdrive that refuse to leave :

command .com
config .sys
mscdec .exe
emm386 .exe
cpqidecd .sys
himem .sys
ramdrive .sys
country .sys
ega .cpi
display .sys
mode .com
edit .com
klock .com -yes with a "k"
getdnum .com -read only
dready .com -read only
autoexec .bat
io .sys -system, hidden, read only
msdos .sys -system, hidden, read only
drvspace .bin -system, hidden, read only

and the contents of the autoexec.bat are as follows :

@ECHO OFF

if "%1"=="" set 1=A:

::Set codepage for International Lang
mode con CP PREPARE = ((850) ega.cpi)
mode con CP SELECT = 850

::Remove CTL-C/CTL-BREAK
REM %1\KLOCK.COM

::Get RAM drive
%1\GETDNUM "MS-RAMDR.IVE"
IF ERRORLEVEL 1 SET RD=A:
IF ERRORLEVEL 2 SET RD=B:
IF ERRORLEVEL 3 SET RD=C:
IF ERRORLEVEL 4 SET RD=D:
IF ERRORLEVEL 5 SET RD=E:
IF ERRORLEVEL 6 SET RD=F:
IF ERRORLEVEL 7 SET RD=G:
IF ERRORLEVEL 8 SET RD=H:
IF ERRORLEVEL 9 SET RD=I:
IF ERRORLEVEL 10 SET RD=J:
IF ERRORLEVEL 11 SET RD=K:
IF ERRORLEVEL 12 SET RD=L:
IF ERRORLEVEL 13 SET RD=M:

set TMP=%RD%
set TEMP=%RD%
set CD=N

::Load CD driver
LH MSCDEX.EXE /D:IDECD001 /M:12 /L:%CD%

::----------------
::FIND SYSTEM SAVE
::----------------
if not exist %1\dready.com goto end

if "%1"=="e:" goto try_d
if "%1"=="E:" goto try_d
%1\dready.com e:
if errorlevel 1 goto try_d
if not exist e:\cpqs\xqr.* goto try_d
set SAV=E:
goto have_sav

:try_d
if "%1"=="d:" goto try_c
if "%1"=="D:" goto try_c
%1\dready.com d:
if errorlevel 1 goto try_c
if not exist d:\cpqs\xqr.* goto try_c
set SAV=D:
goto have_sav

:try_c
%1\dready.com c:
if errorlevel 1 goto end
if not exist c:\cpqs\xqr.* goto end
set SAV=C:
goto have_sav

:have_sav

PATH %RD%\;%SAV%\CPQS;%SAV%\CPQS\TOOLS;

::-----------
::CHECK FILES
::-----------
@if %SAV% == "" goto end

if not exist %SAV%\CPQS\TOOLS\AUTOEDIT.EXE goto end

%SAV%
cd \CPQS

REM
REM Now done by WinQR program(s)
---
REM %SAV%\CPQS\TOOLS\AUTOEDIT.EXE DQR.INI "FpyLetter=\"A\"" "FpyLetter=\"B\"" /S
REM %SAV%\CPQS\TOOLS\AUTOEDIT.EXE PQR.INI "FpyLetter=\"A\"" "FpyLetter=\"B\"" /S
REM %SAV%\CPQS\TOOLS\AUTOEDIT.EXE XQR.INI "FpyLetter=\"A\"" "FpyLetter=\"B\"" /S

@IF EXIST %SAV%\CPQS\XQR.EXE CALL %SAV%\CPQS\XQR.EXE
::--------------
::REBOOT SYSTEM
::--------------
if exist %SAV%\CPQS\TOOLS\REBOOT.COM CALL %SAV%\CPQS\TOOLS\REBOOT.COM > nul

::--------------------
::DONE(Reboot System)
::--------------------
:end

and this ramdrive is created even when a bootdisk is not present. if a bootdisk is present, according to the BIOS it will boot to the bootdisk instead. however the bootdisk is created as a ramdrive under both letters A: and B:

and i used attrib to remove all attributes before attempting to delete all those files stored on this A: ramdrive, however when i restarted the computer they had not been removed.

Nothing looks terribly out of the ordinary there - various files have the 'read only' attribute. A RAM drive collapse when you reboot - unless you recreate it again by using the same bootdisk.

Tilting at windmills, my friend - reinstall Windows or whatever, install an AV program and rely on it & online scans

Never argue with an idiot. They will only bring you down to their level and beat you with experience

Report Offensive Follow Up For Removal

That doesn't make a whole lot of sense - if a ram drive is being created upon boot without a floppy in the drive, then the instructions are coming from somewhere - likely the HDD (perhaps a hidden partition) - I have seen DOS load from a ROM chip, but that's not likely the case here.

Try a different bootdisk - but regardless, virus don't work the way you describe

Never argue with an idiot. They will only bring you down to their level and beat you with experience

Report Offensive Follow Up For Removal

ah no need, the FDISK /mbr command did the trick :-)

i would have tried that but i wasnt aware of such a command and a fdisk /? does not list that command. but that did the trick. all those files are gone, no more ramdrive is created at start up and it goes straight to the C:\ drive partition i created with the win98 system files on it, and to a command prompt. now to install windows.
thanks for the help, all that work came down to 3 simple letters after the fdisk command. funny how things like this work out sometimes. thanks

"That doesn't make a whole lot of sense"

boggled my mind to , but a google of fdisk /mbr reveals the mbr reformats the master boot record and therefore this 500k worth of files that were in this ramdrive created on startup resided in the boot record i guess.

No, I was responding to your earlier post - communicating in a forum suffers somewhat from 'time lag'

Fdisk /mbr is a well known (formerly undocumented) switch to restore the master boot record. Usually it's either beneficial or harmless - on occasion it can make a mess of things.

Glad it worked, but it's pretty doubtful you were experiencing a virus problem.

Never argue with an idiot. They will only bring you down to their level and beat you with experience

Report Offensive Follow Up For Removal

There are other useful 'undocumented' options in fdisk.

M2

Sure

Never argue with an idiot. They will only bring you down to their level and beat you with experience

Report Offensive Follow Up For Removal

Viruses can reside in the BIOS

31337

We keep hearing that - got an example??

Never argue with an idiot. They will only bring you down to their level and beat you with experience

Report Offensive Follow Up For Removal

Difference between a virus residing in, and a virus attacking, as part of it's payload, the BIOS.

Few examples of the latter. One really old one would be the CIH variants (Win95.CIH.1019, Win32/CIH (Alias: PE_CIH) Variants 1.2 - 1.4)

n u f f i n k

if you ever need to clean everything of a hard drive try http://dban.sourceforge.net/

a self contained boot floppy with a pretty gui to clean off a hd