Netsky.d

[Aldo Larrabiata]

Hi,
I got it.
It deletes the following key :
HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer3
2

What's corresponding to this key ans what's its use ?

Thanks

 

[Geese_Hunter]

E6FB5E20-DE35-11CF-9C87-00AA005127ED}

From Trend micro

Restoring Deleted Registry Key

1. In the left panel of Registry Editor, double-click to the
following subkey: HKEY_CLASSES_ROOT>CLSID>{E6FB5E20-DE35-11CF-9C87-
00AA005127ED}
2. Right-click the subkey, select New, and then click Key.
3. Type InProcServer32 to name the new key.
4. In the right panel, right-click (Default) and click Modify.
5. Under Value Data, type the following string:
%SystemRoot%\System32\webcheck.dll
6. Click OK.
7. Close Registry Editor.

From another site
webcheck - webcheck.dll - DLL Information

DLL File: webcheck or webcheck.dll
DLL Name: Web Site Monitor
Description: File that contains COM interfaces used for web site
monitoring.
Part Of: Windows
System DLL: Yes
It's an Internet Explorer file from Microsoft

 

[Aldo Larrabiata]

Thanks a lot.
I will wait for some days in order to see what troubles are caused by its
absence.

 

[lastcall]

Apparently, according to the "group" that has responded to my Newbie
question, it's safe to just remove a virus. No troubles will be caused
by deleting files from your computer. Don't worry.... in a couple of
days nothing else will go wrong! That's what they told me. If I'm in
the field and remove a virus, it's o.k., everything will be fine. I
won't be called back and there is no need to do an OS reload unless
I'm trying to soak money out of someone. It has nothing to do with the
fact that I may get called back in 2 days when something else doesn't
work, they say, now I work for free.

Sorry, Aldo....

 

[Geese_Hunter]

Apparently, according to the "group" that has responded to my Newbie
question, it's safe to just remove a virus. No troubles will be caused
by deleting files from your computer. Don't worry.... in a couple of
days nothing else will go wrong! That's what they told me. If I'm in
the field and remove a virus, it's o.k., everything will be fine. I
won't be called back and there is no need to do an OS reload unless
I'm trying to soak money out of someone. It has nothing to do with the
fact that I may get called back in 2 days when something else doesn't
work, they say, now I work for free.

Sorry, Aldo....

Are you deleting files manually? Or letting virus cures fix them. If you
do it manually, then there probably will be issues. If you let the virus
cure fix it & walk away yea, there probably will be an issue or 2.
If you let the anti- virus prog. work or the virus cure work & you read
what else you might have to do manually, & then apply a fix or a patch
as to how it came in in the 1sat place & then take it for a test drive,
then life is grand & you can move on, if not yea, you'll be back there.
You can do a job right or you can do it 1/2 assed. In 11 yrs as a system
admin I've only reformatted 3-4 PC's due to trojans & virus's. A
reformat is not the cure or a fix & unless you have everything you need
off line that machine is more prone to problems than it was before re-
formatted

 

[FromTheRafters]

Apparently, according to the "group" that has responded to my Newbie
question, it's safe to just remove a virus. No troubles will be caused
by deleting files from your computer. Don't worry.... in a couple of
days nothing else will go wrong! That's what they told me.

That's not *exactly* what you were told was it? I thought I
was clear in pointing out that some research was in order
before any action was taken. If I neglected to do so; or if
you posted this before I posted that; then now would be a
good time to correct that error. There are *some* malware
types (not specifically viruses) that in certain circumstances
will *require* a complete software rebuild of the affected
machine. The "circumstances" in that case would be the
defining factor.

If I'm in
the field and remove a virus, it's o.k., everything will be fine.

Generally, yes - for "viruses". A good removal tool will also
have clues about what else that particular virus may have
done to the system. However, I would recommend having
the AV program "detect" and log its results so that you can
do research and determine the best course(s) of action.

If a machine is "riddled" with malware, I would probably wipe
and reload possibly losing data (if the victim didn't do backups,
this will serve as a lesson as well). Just as in the repair business
sometimes a wholesale replacement is warranted because you
will never attain a sufficient level of confidence in the repair.

I won't be called back and there is no need to do an OS reload
unless I'm trying to soak money out of someone.

This is wrong, there is never any guarantee against a re-do even
if you do wipe and reinstall all software. If you make it a policy
to *always* refurbish the software - this is as close to being
confident as you can get. If you *always* refurbish, then you are
doing it to protect yourself rather than to help the customer.

I have dealt with this sort of thing for years - if the cabinet's
side is cracked, and if there are no replacement parts for the
cabinet, the repair is refused outright even if the complaint is
related to a blown fuse. No confidence. Replacing the fuse
(and affecting repairs) might result in a re-do freebee repair
or replacement of the main circuit board. The laws protect
the consumers, and the businesses must compensate for
those consumers which abuse those protections.

Wipe and reinstall if that is what you want to do from a business
standpoint. Advise your customers that data protection (backup)
is completely up to them. Be sure that you are reloading the OS
up to its most recent patch and service pack or release level to
increase your confidence.

[snip]

 

[Aldo Larrabiata]

Hi,
I'm a bit puzzled by your answer: why are you sorry ?

The question is that I got this virus. In its installation process, it
writes a run key within the registry and removes some other ones.
All didn't exist before I got it except the
"HKEY_CLASSES_ROOT>CLSID>{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer
32.

I'm not too much worried by the deletion of this key, I could restore it
immediately with the explanation provided but I'm very curious and I'm just
wandering what could be the purpose of this key.

Bye

 

[David W. Hodgins]

The question is that I got this virus. In its installation process, it
writes a run key within the registry and removes some other ones.
All didn't exist before I got it except the
"HKEY_CLASSES_ROOT>CLSID>{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer
32.

See http://support.microsoft.com/defaul...port/kb/articles/q176/9/60.asp&NoWebContent=1
for a description of "Load webcheck". Although it dosn't say so in that document, it seems logical to
assume webcheck.dll contains the routines that actually do the work, in updating web subscriptions,
and copying your profile all over the place.

Regards, Dave Hodgins

 

[Aldo Larrabiata]

Positively this thread is getting confusing for me ! It could be also that
some posts are a little bit too tricky for me, English isn't my first
language !

I answered to Lastcall thinking he wasn't in line with the initial question.
Now reading your message, I'm feeling a little more troubled!
In fact I don't want to delete anything!. Except the files pointed out by
the virus removal technical bulletins. But this is the topic of another
thread I answered to and I'll come back later on.
This one is directed to a Registry key Netsky.d deleted. And I think I've
clarified.


Now to answer to your message and to come to the other thread, I understand
that you recommend not to manually delete infected files but letting intead,
the virus cures doing the operations themselves.

With my experience, I don't like such operations to be made without any log
or any configurable restriction or any human consent. As I said in the other
post, I recently made an exception to this rule, letting FixNeysky from
Symantec doing the job in my place. The result is:
- First, I damaged major files on my server (IDE hard disk driver), opening
the door to scandisk destroying the FAT of one of my disks when attempting
to correct an allocation error. The problem is that I was quite sure the
virus wasn't installed on the server. It was pure verification !

- Second, A similar thing happened on my main computer the virus was
installed on. Now, I've bad clusters and crossed file inputs in the FAT. For
the moment, I've not yet touched to this disk in order not to increase the
damages. I've to backup it first. Then I'll see what to do.

Now to come to the rules I try to respect as far as I can: I prefer to apply
the cures step by step, strictly following the technical recommendations the
antivirus sites give to the people who have infected computers and prefer to
clean them manually. I'm probably paranoïd but the events which occurred
tend to demonstrate the contrary ! Rare were the cases an automated process,
antivirus or cleaner, did a good job for me, letting the original file in
good condition and or working fine.

I'd be curious to hear from other people having had bad experiences and also
to compare with lucky others.


"Geese_Hunter" <Géésé_Hunté[email protected]> a écrit dans le message (e-mail address removed)...

Apparently, according to the "group" that has responded to my Newbie
question, it's safe to just remove a virus. No troubles will be caused
by deleting files from your computer. Don't worry.... in a couple of
days nothing else will go wrong! That's what they told me. If I'm in
the field and remove a virus, it's o.k., everything will be fine. I
won't be called back and there is no need to do an OS reload unless
I'm trying to soak money out of someone. It has nothing to do with the
fact that I may get called back in 2 days when something else doesn't
work, they say, now I work for free.

Sorry, Aldo....

Are you deleting files manually? Or letting virus cures fix them. If you
do it manually, then there probably will be issues. If you let the virus
cure fix it & walk away yea, there probably will be an issue or 2.
If you let the anti- virus prog. work or the virus cure work & you read
what else you might have to do manually, & then apply a fix or a patch
as to how it came in in the 1sat place & then take it for a test drive,
then life is grand & you can move on, if not yea, you'll be back there.
You can do a job right or you can do it 1/2 assed. In 11 yrs as a system
admin I've only reformatted 3-4 PC's due to trojans & virus's. A
reformat is not the cure or a fix & unless you have everything you need
off line that machine is more prone to problems than it was before re-
formatted

 

[David W. Hodgins]

With my experience, I don't like such operations to be made without any log
or any configurable restriction or any human consent. As I said in the other

I agree with you, that you should be clear on what is being done, however,
for most people, it's much easier and safer, to let the av software remove
the malware.

post, I recently made an exception to this rule, letting FixNeysky from
Symantec doing the job in my place. The result is:
- First, I damaged major files on my server (IDE hard disk driver), opening
the door to scandisk destroying the FAT of one of my disks when attempting
to correct an allocation error. The problem is that I was quite sure the
virus wasn't installed on the server. It was pure verification !

It's very unlikely, that the fixnetsky program caused the corruption to the
file system. More likely, it's just coincedence. Scandisk can make things
worse. It is not a good tool, for data recovery.

- Second, A similar thing happened on my main computer the virus was
installed on. Now, I've bad clusters and crossed file inputs in the FAT. For
the moment, I've not yet touched to this disk in order not to increase the
damages. I've to backup it first. Then I'll see what to do.

Are both hard drives around the same age? It sounds more like you've got
hardware problems, in addition to the netsky worm.

I'd be curious to hear from other people having had bad experiences and also
to compare with lucky others.

Most of the problems I've seen, have been from people trying to remove a virus
that encrypts the mbr, or other parts of the file system, without the proper tools,
or that also have hardware problems.

Regards, Dave Hodgins

 

[Aldo Larrabiata]

Hi, thanks for the feedback.

I don't think so that's a coincidence. Usually my disks are safe (unless I'm
missing something !). I check more than often my configurations and the fact
that two disks who present similar problems after using the same fix, looks
a little bit strange.

I don't think so that the fix altered the file system. More likely it
altered a driver or something like that. At least, on my server the IDE
driver is corrupted. I've verified but at the moment, I can't remove it,
windows 98SE crashes before completing the operation.

I agree with you Scandisk is a silly program. But I don't have a smart one
to be used instead. So I've to live with it !
This is also the reason I don't want to correct anything on my main
computer's hard disk prior to performing any backup. _lotta_ CD ROMs :-((
When this will be done, I'll probably use scansisk once more !!

Both hard disks aren't of the same age. One is an old Quantum 1080 MB PIO4 5
or 6-year old. The second is an ATA100 Maxtor 40 GB Diamond plus 8, 3-year
old.
They're installed on different computers.

Definitely I'm sure this is not hardware related but the problems are most
likely the consequence of the software on the hardware.
I also agree the root cause could not be fixnetsky. But again this is the
only common point to the two computers ! Difficult to change my mind !

Bye

 

[Gabriele Neukam]

On that special day, Aldo Larrabiata, ([email protected]) said...

Both hard disks aren't of the same age. One is an old Quantum 1080 MB PIO4 5
or 6-year old. The second is an ATA100 Maxtor 40 GB Diamond plus 8, 3-year
old.
They're installed on different computers.

Which hard disk is sitting in which computer? Is there a hard disk
manager on the 40 GB disk, which "translates" the hard disk geometry
into something which can be understood by the BIOS (maybe because it can
only access hard disks up to 32 GB directly, without the disk manager)?

Antivirus programs tend to misunderstand disk managing programs for boot
sector viruses and "fix" them, rendering the hard disk unreadable.


Gabriele Neukam

(e-mail address removed)

 

[Aldo Larrabiata]

Hi,
The 1080 MB HD is mounted on my server, with an Asus TXP4, a K6-200 CPU and
a BIOS able to recognize up to 32 MB. There's no translation software. One
primary hidden 7.8 MB partition and one 1 GB extended with a logical disk in
it (I use this scheme in order not to modify the letters when I move disks
from one computer to another one).

The 40 GB is presently mounted on my main computer, with an Asus A7N8X and
an Athlon 2400+. This disk was formerly installed on the K6 with a
translation utility provided by Maxtor and limited to 32 GB by the disk
jumper. It was recognized as 40 GB thanks to the disk manager. When I put it
on my A7N8X, one year ago,I removed the jumper, I removed also the utility
with the help of the Maxtor tools and I resetted the disk. I repartitioned
it with 2 primary partitions (40 MB each) one hidden, one bootable, an
extended one containing 4 big logical units. Everything went fine. Except
sometimes, scandisk under DOS says that the size is reported as incorrect
and it adjusts it. This has been happening quite often over years with
several disks, both IDE and SCSI and on three computers (Asus P55-TP4XE +
P100, Asus TXP4 + K6-200 and Asus A7N8X Deluxe + Athlon 2400+)

1- Server problem:
Today (since netsky virus removal), The 1080 MB of the server is fine under
DOS but the driver is marked with an exclamation mark under Win98 system
properties. Noway to remove the IDE driver in order to install it again.
When I pased the fixnetsky, the first time (prior to knowing that the driver
was corrupted) it stopped telling me that there were errors on the disk
always on the same file (I ran it 4 times). I launched scandiskw and it made
a mess.
I attempted to format the disk under Win but it didn't complete. I did it
under DOS, verifying the job under DOS & Partition Magic. I didn't find any
errors. I successfully ran a surface test.
Then, Iput some files onto it, under a windows session, through the network
(from the A7N8X computer onto the server's disk), I CRC tested them from the
server, everything was OK. I ran again scandisk on the server errors were
indicated but didn't made any correction. Then the disk appeared in error,
impossible to read it. The directories weren't present anylonger or
garbaged. I booted again the server under DOS. No problem.
Scandisk under DOS didn't reveal any problem. Windows again, the readings
and the disk accesses were correct until I ran again scandiskw. It messed it
again.
When I boot on another partition of the primary disk of the same computer
(the server), this disk if fine, scandisk works properly.

I could reinstall windows but I would prefer to repair it because of the
number of softs to re-install and the time to spend to retrieve the
originals.

2- Main computer problem:
There are crossed files in the FAT and one bad cluster: "the input of E:\Az
is incorrect, the first cluster od the directory input is invalid ..."
Only a 10 GB partition of this disk is concerned. This is the primary disk,
logical partition number 2.
Because of the total lack of control I have onto scandisk, I keep this
partition as is waiting to backup it.


As I said the two HD problems appeared after fixnetsky was run on both
computers. It completed on the A7N8X and aborted on the server. The main
computer's log was correct, it didn't create any log on the server.

I'm completely convinced windows has been damaged during the scaning / virus
removal on the server.
Concerning the main computer, I'm afraid to repair the error due to the fact
scandisk might destroy the data. Perhaps it's nothing but I can't remember
having seen such a message warning against damaged cluster. The disk works
fine under Win. I didn't test it booting on another partition. Since the
error is reported under DOS, I don't feel this kind of test is necessary. In
this case this isn't the windows' driver which is at the origin of the
problem. Definitely the problem is different unless disk accesses to the
FATs have been made either by the virus or by fixnetsky.

Thanks

 

[Gabriele Neukam]

On that special day, Aldo Larrabiata, ([email protected]) said...

The 1080 MB HD is mounted on my server, with an Asus TXP4, a K6-200 CPU and
a BIOS able to recognize up to 32 MB. There's no translation software. One
primary hidden 7.8 MB partition and one 1 GB extended with a logical disk in
it (I use this scheme in order not to modify the letters when I move disks
from one computer to another one).

Interesting. that means, you have a very small FAT16 partiton in front,
and another larger one (FAT16 or FAT32?) after that. I am not quite sure
if the Windows you are using, can handle that, especially with a
partition that is *hidden*. Maybe the partition table was "fixed" by the
removal tool in a way, that made the result even worse than before the
cure. Virus scanners aren't always prepared to deal with behaviour
untypical to the OS they are used under (I wonder if they are using own
hard disk access routines to fix things like weird partition table
entries, or if they make use of the OS tools). Ask Zvi Netiv about that,
he will probably be able to find out what went wrong.

The 40 GB is presently mounted on my main computer, with an Asus A7N8X and
an Athlon 2400+. This disk was formerly installed on the K6 with a
translation utility provided by Maxtor and limited to 32 GB by the disk
jumper. It was recognized as 40 GB thanks to the disk manager. When I put it
on my A7N8X, one year ago,I removed the jumper, I removed also the utility
with the help of the Maxtor tools and I resetted the disk. I repartitioned
it with 2 primary partitions (40 MB each) one hidden, one bootable, an
extended one containing 4 big logical units. Everything went fine. Except
sometimes, scandisk under DOS says that the size is reported as incorrect
and it adjusts it. This has been happening quite often over years with
several disks, both IDE and SCSI and on three computers (Asus P55-TP4XE +
P100, Asus TXP4 + K6-200 and Asus A7N8X Deluxe + Athlon 2400+)

I would back up all important data from that hard disk and *wipe* it
with a Maxtor low level formatting tool, just to make sure that the
changed hard disk geometry access doesn't mess the partition table up.
The hidden partition might also get in the way of your *boot*able
partition, if the OS thereon is of the Win9x kind, which would normally
only boot from the first primary partition, which is supposed to be
right at the beginning of the hard disk. You set up your disks in a very
unusual way, and again I suspect that the fix ruined the partiton table,
trying to make the computer boot from the first partition of all, and
maybe shifting the info of the second primary partition to the first
one.

1- Server problem:
Today (since netsky virus removal), The 1080 MB of the server is fine under
DOS but the driver is marked with an exclamation mark under Win98 system
properties. Noway to remove the IDE driver in order to install it again.

Look into another tab of your system properties, it shouöd be the last
one (in German it is called "Leistungsmerkmale", which translates to
performance signs). Look if there is an entry that the partition is run
in "compatibility mode", and read the details. Maybe you'll have to
remove a "Noide" entry from the registry, or check for bad real mode
drivers in the Config.sys or Autoexec.bat

When I pased the fixnetsky, the first time (prior to knowing that the driver
was corrupted) it stopped telling me that there were errors on the disk
always on the same file (I ran it 4 times). I launched scandiskw and it made
a mess.
I attempted to format the disk under Win but it didn't complete. I did it
under DOS, verifying the job under DOS & Partition Magic. I didn't find any
errors. I successfully ran a surface test.
Then, Iput some files onto it, under a windows session, through the network
(from the A7N8X computer onto the server's disk), I CRC tested them from the
server, everything was OK. I ran again scandisk on the server errors were
indicated but didn't made any correction. Then the disk appeared in error,
impossible to read it. The directories weren't present anylonger or

Ouch. The File Allocation Table went bad or was misread.

garbaged. I booted again the server under DOS. No problem.

Be careful. It might look fine for DOS (which uses a fairly direct
device access), but might still crash when using Windows. If the FAT
reading gets bad, and you save files while the machine is running in
this unstable state, you might overwrite the good FAT with bad info, and
lose files (or rather the pointers to the files).

Scandisk under DOS didn't reveal any problem. Windows again, the readings
and the disk accesses were correct until I ran again scandiskw. It messed it
again.

Try to make your hard disk partitioning as plain as possible. The worm
fix did obviously "repair" things it shouldn't have bothered with.

When I boot on another partition of the primary disk of the same computer
(the server), this disk if fine, scandisk works properly.

I could reinstall windows but I would prefer to repair it because of the
number of softs to re-install and the time to spend to retrieve the
originals.

Hm. I'll tell my opinion below.

2- Main computer problem:
There are crossed files in the FAT and one bad cluster: "the input of E:\Az
is incorrect, the first cluster od the directory input is invalid ..."
Only a 10 GB partition of this disk is concerned. This is the primary disk,
logical partition number 2.
Because of the total lack of control I have onto scandisk, I keep this
partition as is waiting to backup it.

As I said, there are several probable reasons for the ruined partition
table - the former presence of a disk drive manager, which doesn't run
any more but has some influence on the way the disk geometry is
organized internally, because it was "translated" by the driver, which
works the other way round, too, when the fdisk created a partition.

Second, there are two primary partitions, which are accessed on boot up
in an unusual way, which might cause the OS to be kind of "disoriented",
if it suddenly finds itself beyond the primary partition #1.

And there is yet another issue. At least the Win9x versions (I don't
know about the NT variants) don't like partitions that start/stop in the
midst of a cylinder (that is a stack of sector rings, located exactly
above or below each other, on different sides of the hard disk platters.
Think of it a a kind of bracelets of the same size, being stacked up).
Other OSes, mostly UNIces, can deal with that, but don't count on MS
products to tolerate such "breach of boundaries".

As I said the two HD problems appeared after fixnetsky was run on both
computers. It completed on the A7N8X and aborted on the server. The main
computer's log was correct, it didn't create any log on the server.

I'm completely convinced windows has been damaged during the scaning / virus
removal on the server.

This might well be, especially if the removal tool did more than it
should have done (perhaps someone suspected a boot sector component to
be present in the Netsky worm); but I don't know for sure what really
happened. As we Germans say: "You don't stick inside there"

Concerning the main computer, I'm afraid to repair the error due to the fact
scandisk might destroy the data.

Once I had a Win 3.1 that crashed my FAT in irregular intervals on a
Pentium 100, and so I bought a new mainboard, only to be able to
configure the shadow BIOS, to exclude certain areas. The hard disk was
attached to a very simple SCSI controller (with no proprietary BIOS),
which had caused the problem.

The disk geometry is a delicate thing, and MS products don't do much
more than tell the hard disk to do this and that, and if something goes
wrong, they can't compensate for the error.


If you are willing to take risks, you might try the Ranish Partiton
Manager and re-create the partition table with that (while the data are
meant to be still readable). But you must be very confident, that the
result will be exactly as you had set up the partitions before; as
Ranish will do what you tell it, no matter what, and whatever might come
from that.

I would prefer a complete low level re-organisation (format doesn't
really fit it), and build the hard disks anew. I know that this means
much work, but imagine the errors still lurking in the background and
suddenly raising their ugly heads, exactly when you need it least.



Gabriele Neukam

(e-mail address removed)

 

[Aldo Larrabiata]

Good evening (.. night, it's 01:27!),

I didn't feel the time running. Interresting post you wrote.

I've been using this scheme for years on several computers and didn't have
any problems with win95 first then with Win98SE. My son as well has used it
with Win 2000. Not sure he tried with XP. I agree this is not a reason it
should work _without_ trouble.

Coming back to the 1080 MB, the partition table wasn't garbaged. Partition
Magic doesn't ring on errors. Only the contents of the 1 GB partition (BTW
it's a FAT32) were destroyed and under Windows, this perfectly reproducible
as far I correct the errors with scandiskw. On another hand, the disk is
perfectly clean when I boot on the second partition. Even scandiskw doesn't
find errors or induce trouble. The IDE drivers of the first one are probably
corrupted they are preceded by an exclamation mark.

About the hidden primary partitions, I don't think so that this is an
unusual combination. This is typically the case of a multiple boot installed
by Partition Magic. The exception is that they are on a secondary IDE port.

Concerning the main computer and the 40 GB disk, I agree with you: a clean
format will be performed when the data are backuped.
But again, I've no problem to boot with this computer neither on the main
partition nor on the second one via bootmagic. So the partition table
shouldn't be damaged. The configuration of Partition Magic is the following:
a maximum of 4 primary partitions (I use two) including an extended one are
allowed. On the three primary partitions you may install different OSes but
only one partition must be visible and active. The two others must be
hidden. This is processed by bootmagic, offering the possibility to activate
the one you want, just after the POST, hiding the others. Then the boot
process is nominal on the active partition. However a precaution needs to be
taken during the windows installation: Windows unhides all the partitions
during the process, keeping the first one as active. When it ask to reboot,
you must insert the bootable Partition Magic diskette to hide the unwanted
partitions. Well documented in the manual.

1- Server: bingo! the disk uses the DOS compatible mode. This confirms the
exclamation mark.
I've already checked the 16 bit drivers in config.sys & autoexec.bat. There
isn't any. What do you mean by a "noide" entry ?
OK, the registry is a good clue to look for drivers, but where shall I look
for, any idea ??
I also agree not to write anything on the disks which present anomalies.
This could be lethal for the data.

Uh! you arrive at the same conclusion as I did ! the fix was so efficient
that it repaired everything it found on its way !! Very conservative
approach !

2- Main Computer problem:
I've banned fdisk a long time ago! I use to prepare the brand new disks
either with the manufacturer's tools or with partition magic.
I thought to some remnants coming from the initial configuration (with
EasyBios) but I completely cleaned the disk with the Maxtor's procedure
restoring the manufacturer status. I trusted Maxtor and I wipped this idea.
You put it again in my mind. Then I partitioned it with partition magic or
Maxtor tool. Don't remember.
I think there's a misunderstanding: There are not two primary partitions
which are accessed. There is one hidden and one visible_and_active the
system boots on (dual boot).
Again you give me a clue when you say that partitions should not start/stop
in the middle of a cluster. This could explain the size errors reported and
perhaps the reason some files are crossed. I'll make some search on the
topic.


What I will do: On the server, I'll try to remove the corrupted drivers. I
don't know how but I'll look to the registry. I nitta understand first!
Second when I've time, I'll completely backup the disk and restart on a safe
basis. During the while if I can't manage to repair Windows, I'll use the
other partition Win98 is also installed on. I did that for security reasons
in order not to block the computer in case of failure. I realize I should ha
ve done that on two different disks. This is what we call the "experience"!

On the main computer, I'm in the process to install a SATA. I finish the
installation and I backup all the data of the main disk onto it. Then, look
to Ranish side and I'll compare the reports with Partition Magic. May be a
quick run of Maxtor Diagnostics. Then decision.

Thanks

 

[Gabriele Neukam]

On that special day, Aldo Larrabiata, ([email protected]) said...

1- Server: bingo! the disk uses the DOS compatible mode. This confirms the
exclamation mark.

Fine. Now we have found something which we can work upon.

I've already checked the 16 bit drivers in config.sys & autoexec.bat. There
isn't any. What do you mean by a "noide" entry ?

Well, the real mode drivers are mainly written for CDroms, to access
them under DOS. Some of them are badly done and interfere with the IDE
connection of the hard disks. I saw that myself on an ordinary Win98
machine, only disabling the CD driver in the config.sys would allow for
fixing the compatibility mode.

There are several ways to deal with the exclamation marks and the
compatibility mode

- boot in safe mode and delete all subentries of the hard disk
controller in the device manager. Reboot and have them re-detected.

- if that doesn't work, look in the registry for the string "noide". It
should be there only once, and keeps the machine from running in
protected mode. Remove the key. Reboot.

OK, the registry is a good clue to look for drivers, but where shall I look
for, any idea ??

Use the search function in the registry, it should send you to the noide
entry.

2- Main Computer problem:
I've banned fdisk a long time ago! I use to prepare the brand new disks
either with the manufacturer's tools or with partition magic. ....
Again you give me a clue when you say that partitions should not start/stop
in the middle of a cluster. This could explain the size errors reported and
perhaps the reason some files are crossed. I'll make some search on the
topic.

I don't know if the Maxtor tools allow for partitions in the midst of
cylinders. I can only tell that there are MVPs (a term for Windows
experts which do their job for free, on a kind of charity basis) that
say: as bad as fdisk is, it should yet be used, to avoid problems with
partitions.

But fdisk doesn't allow the creation of *several* primary partitions,
which is what you need.

There are several DOS versions by now, and some even for free. Perhaps
that one can do more than one primary partition

http://www.23cc.com/free-fdisk/

The "history.txt" of the program indicates that you can create up to
(the obligatory) 4 primary partitions with it, and it doesn support
FAT32.

Maybe the Ranish Partition manager can help, too. It is extremely
versatile, and works in any kind of DOS. For people who haven't heard of
it yet:

http://www.ranish.com/part/

On that site there is much additional info, and maybe one or two new
ideas to be found, too.

On the main computer, I'm in the process to install a SATA.

Interesting. I assume you installed a S-ATA controller? If I understood
it correctly, the controller should be treated by the BIOS similar to a
SCSI controller, that is if you want to change your boot sequence to
start from S-ATA first, the sequence should be similar to SCSI,C,A

Then, look
to Ranish side and I'll compare the reports with Partition Magic. May be a
quick run of Maxtor Diagnostics. Then decision.

Ok. I hope you can sort it out. A hard disk that is failing
intermittantly, although it should be healthy, is one of the worst
things a computer can have inside (apart from broken VIA southbridge,
that 686b)

Wishing you all good luck,


Gabriele Neukam

(e-mail address removed)

 

[Bart Bailey]

In Message-ID:<[email protected]> posted on Sat, 10 Apr

A hard disk that is failing
intermittantly, although it should be healthy, is one of the worst
things a computer can have inside

I've had that happen too, but the most frustrating thing that's happened
to me lately was the failure of a MB AGP socket.
Some time ago I tried out a high end video card a gamer friend was going
to sell me after he upgraded, seems the power requirements were a bit
too excessive for my system, and caused an arc. This must have
compromised the socket contacts, because for a couple years there was
the occasional small arcing (visible as dots on the screen) that would
clear up with a bit of manipulation, usually unplugging and re-plugging
the monitor cord. Well, it finally got beyond the manual quick fix
stage, and even a bitch slap to the side of the case wouldn't fix it, so
I had to revisit an abandoned project (another long story) and finish my
1.4gig box. As could be expected, this all came up at the low cash end
of the month. Only within the last few days have I got it all together,
running, and no more yellow icons in the device manager. ;-)