Announcement
Collapse
No announcement yet.

Computer shuts down when cable is connected

Collapse



X
  • Time
  • Show
Clear All
new posts

  • Computer shuts down when cable is connected

    Maybe someone can help me out here.
    I have an old computer that I use as an FTP server.

    AMD Athlon XP 1500 MHz

    Motherboard Asus A7V880


    Tonight the computer just died. I didn't do anything and didn't touch it.
    Well bye bye I thought to that one.
    I figured out that the computer works just fine as long as I don't connect the network cable.
    As soon as I do that it shuts down immediately. Weird.
    Any ideas why this happens and what I can do about it?

  • #2
    Are the event logs showing any errors when it happens?

    When you start it up with the cable connected how far does it get in the boot process before it quits?

    Comment


    • #3
      Boot safe mode and see if the problem still occurs. If it does, reinstall NIC drive to see if the problem still occurs. If it does, replace NIC and see if problem still occurs.

      Comment


      • #4
        My suggestion would be to reload the Network drivers, reboot, and setup the Network connection if none of the others stuff previously posted work for you.
        2011 Mitchell MD100sce Acoustic
        1979 Takamine F-349 (Martin Lawsuit
        copy)
        2011 Fender American Special Jazz Bass (Olympic white)
        2008 SX SJM-62 electric with 3 P-90's

        Comment


        • #5
          It could be the connector itself. If the above suggestions don't work, try another network card.
          Missin' Marko46

          "I've never been given more to bear than I can endure."
          Marty Mann

          "In a world where carpenters get resurrected, everything is possible."
          Elanor in Lion in Winter

          Comment


          • #6
            I just read a security article about an SMB trojan that does the same thing. The computer will operate normally when not networked, but as soon as it is networked it will crash due to a bug in the boot loading virus. The code steals banking data. The trojan hides in the boot sector (MBR). It copies the Master Boot Record to another sector, writes itself in, then writes the MBR as a tail to itself. Hard to get rid of.

            To check if you have such before going further, get a copy of GMER and run it looking for the trojan.

            If GMER finds a trojan, copy all of your material in your documents and settings folder to another drive - drive, not partition. Departition the infected HD, repartition it, reformat and reinstall. There are other ways to get rid of it, but they are not certain.

            Comment


            • #7
              I just read a security article about an SMB trojan that does the same thing. The computer will operate normally when not networked, but as soon as it is networked it will crash due to a bug in the boot loading virus. The code steals banking data. The trojan hides in the boot sector (MBR). It copies the Master Boot Record to another sector, writes itself in, then writes the MBR as a tail to itself. Hard to get rid of.

              To check if you have such before going further, get a copy of GMER and run it looking for the trojan.

              If GMER finds a trojan, copy all of your material in your documents and settings folder to another drive - drive, not partition. Departition the infected HD, repartition it, reformat and reinstall. There are other ways to get rid of it, but they are not certain.


              I agree with normn..
              its virus problem...trojan infect you all files, hdd..
              So your computer or HDD is hard work to refresh
              By the way, you need reinstall to get good system
              free online dating site dallas fha loans Body Kits
              Car Parts Body Kits Car Parts Body Kits
              Booking Dubai Hotel China Shanghai Hotels
              corvette forum mustang forum s2000 forum 350z nismo mustang parts corvette parts

              Comment


              • #8
                I just read a security article about an SMB trojan that does the same thing. The computer will operate normally when not networked, but as soon as it is networked it will crash due to a bug in the boot loading virus. The code steals banking data. The trojan hides in the boot sector (MBR). It copies the Master Boot Record to another sector, writes itself in, then writes the MBR as a tail to itself. Hard to get rid of.

                To check if you have such before going further, get a copy of GMER and run it looking for the trojan.

                If GMER finds a trojan, copy all of your material in your documents and settings folder to another drive - drive, not partition. Departition the infected HD, repartition it, reformat and reinstall. There are other ways to get rid of it, but they are not certain.


                I can tell you how to get rid of it.
                First go to the manufacturer of your harddrives web site and download a "Low Level Format Utility". This puts the drive to "NOTHINGNESS" as it is not really a format at all but puts drive to all zero's. Then power down your computer to rid the trojan from system memory. Now boot up to Windows Startup disk and format the drive. Now reload Windows. Yep, a bit more trouble but if you want the computer to work for you again it is worth it.
                2011 Mitchell MD100sce Acoustic
                1979 Takamine F-349 (Martin Lawsuit
                copy)
                2011 Fender American Special Jazz Bass (Olympic white)
                2008 SX SJM-62 electric with 3 P-90's

                Comment


                • #9
                  The particular Trojan boot kit I was referring to is called the "Sinowal." Because if infects the MBR and because you have to boot the infected Windows box to run the manufactures format programs, you run the chance of reinfecting the system. There are a few ways around this, such as booting from a non Windows OS and running the utility, or booting into a VM and running the utility, or perhaps booting from a Bart PE boot disk. But the above post is not a guaranty.

                  The entire article is here.

                  Here: is the basic analysis of the Sinowal. There are more advance analysis' for the techies if they look:

                  BEGIN:
                  Abstract

                  In my fourth paper I want to present my analysis work of the Sinowal Bootkit. I will discuss and explain how Sinowal works, what it does and where it comes from. The analysis work represented here was done weeks ago for Ikarus Security Software. Sinowal (also known as Torpig) is a new phising trojan with occurence over 300.000 times in the world. Enjoy reading!

                  - Peter Kleissner, Software Engineer (October 2008)

                  Sinowal

                  Sinowal is a new rootkit and login- phishing and logging trojan. At runtime it does not log only any password (whether pop3 email, netbanking or amazon customer login) but also provides phishing capabilities in Internet Explorer. It is written by people from the Russian Business Network (RBN), and this is my special interest to publish their source code here. Sinowal can be considered as Bootkit + Trojan/phishing. It comes with a single infector file, but later acting via various parts settled down in the system. It's also notable that there are different versions existing, newer ones will have more "features". I'll explain everything in detail later.

                  Infector File

                  Sinowal is spread around the world via one single infector file. I guess it's shipped in spam mails until this is one main part of the Russian Business Network. The infector file of Sinowal is 407 KB big (417.368 Bytes), but there are also other versions with different file sizes existing. It is very interesting that when executing the infector file its really infector code is executed at time 18 minutes and 45 seconds and not at the very beginning. 40 minutes after starting the infector file, it will terminate itself and execute itself in another process further. Then, 2 minutes later at 425, it will infect the machine and starts a restart of the machine within a second.

                  The time table what Sinowal Infector File does at time:

                  00:11 Execution of Infector File starts
                  00:19 Process delays execution
                  08:43 Investigation of target (local) machine starts, loading system dlls, functions, registry values
                  18:45 Infecting the machine, writing itself low-level (sector based) to any \??\RealHardDiskN and \??\PhysicalDriveN it finds
                  40:23 Execution continues in another process/file, but in same context
                  425 Last infector operations
                  426 Executing a Windows System Restart

                  The infector creates and uses various files. It is very interesting any Sinowal version I investigated creates the file "C:\NeverFile25615". At instruction 34, the infector file gets the environment variable L"NeverVar25615" from system, most probably to terminate itself if the system is already infected.

                  During the execution of the infector, the infector itself copies into the user temp directory, executes the created file and deletes the old one. This is standard process control execution obfuscation. The new file will be named somewhat "n.tmp" with n to be a number, I have seen "2B.tmp", "13.tmp", "16.tmp".

                  The original infector file looks like a normal file, no cryptic imports or headers. It imports just statically following functions from Kernel32.dll:

                  Sleep
                  VirtualAlloc
                  VirtualFree
                  VirtualProtect
                  LoadLibraryA
                  GetProcAddress
                  CreateFileA
                  WriteFile
                  GetEnvironmentVariableW

                  The first thing I see is that there is no import for CloseHandle function, which leads me to say that this is filthy written code. Second to say, the infector file gets much more function addresses of different dlls at runtime.

                  Now the interesting part starts, the infection. As mentioned previously, the infector file infects the computers hard disks low-level sector based. It uses the common used WriteFile interface for writing the sectors onto hard disk. Now everything is going to be VERY complex. The infection at static, the infection at runtime, the copying, the movements. I will start with an overview of the whole process and go into detail later.

                  Sinowal is a Bootkit, which means it overwrites the Master Boot Record and later then hooks and bypasses every Windows System function. So, the first thing Sinowal for infection does is, to read the Master Boot Record and copying the Partition Table from it. Then it takes its own Master Boot Record, which is included in the infector binary file, and copies the new Partition Table into it. But not only the Partition Table should be preserved, also the Microsofts original Master Boot Record. For this, the infector copies the first sector of the original Master Boot Record into the last sector of the new malicious Boot Record. Then it's ready to write the new malicious Master Boot Record to disk. The functions and parts of the new malicious Master Boot Record will be discussed later.

                  Money is not the total, so infecting just a Master Boot Record is not enough, it's just the at-runtime infecting/hooking part but not the executive. Sinowal copies also a malicious kernel driver onto the disk, at the end of the disk, offset is ~ -10 MB from end. This is the place where no partition is, the space is and should be reserved, Microsoft Software will never allow it to be used by any partition. This hidden 10 MB contain some Microsoft -only information and system restore information.

                  That's it! That is the execution of the Sinowals infector file.

                  Runtime Execution of Sinowal

                  The runtime execution of Sinowal is in detail not easy to describe. For this, I use "stages" for describing the stage of the executed bootkit code. Summarised, Sinowal exists now of the malicious Master Boot Record and the malicious Kernel Driver at end of the hard disk. I describe Sinowal in following stages (not the completed list):

                  Stage 1 Master Boot Record, first sector of disk is executed
                  located in disk.sector0, memory.7C00h
                  loaded and executed by BIOS
                  Stage 2 further hook module
                  disk.sector60
                  , memory.9F600h, memory.9F800h (located at end of Real Mode Memory)
                  executed by ntldr hook, loaded by Stage 1 code
                  Kernel Files Stage 3 memory.9f800, disk.sector 61, executed at address 806cde00, directly after ntoskrnl, executed by ntoskrnl hook, loaded and relocated by Stage 2 code
                  Stage 4 Hook Code 81066630 +, system memory allocated dynamically
                  here debugging and reverse engineering stops; => CALL FOR KERNEL DEBUGGER
                  driver code, stage 5 location unpredictable; called by ntoskrnl function return code; unpredictable caller; this is the last code
                  Stage 6, Executable the driver at end of disk will be executed by stage 5 code; unknown location


                  Conclusion

                  It's time to come to a conclusion. Everything seems now a bit disappointing to me; the second main part of Sinowal (runtime hook code) is just stolen code from other projects. Sinowal works only on Windows XP machines, not on Windows Vista (see chapter "Affected Systems"). Sinowal is much more sophisticated than previous viruses, you can call it "high-tech". And as it's high-tech, it's also successful. Until it is making millions there will be the necessary request and effort for its further development. Sinowal is the current leading virus of the viruses. But nevertheless there are some program errors in Sinowal and there are many things making Sinowal not working/crashing your system. I'm sure we will see future versions working on Vista. Now I will continue with analysis of the driver which has not been discussed here.

                  Comment


                  • #10
                    this could be due to the remnatnts of ccc ransomware - http://nabzsoftware.com/types-of-threats/ccc-file

                    Comment


                    • #11
                      Originally posted by Triton View Post
                      I figured out that the computer works just fine as long as I don't connect the network cable. As soon as I do that it shuts down immediately. Weird. Any ideas why this happens and what I can do about it?


                      There is a short somewhere -- in the NIC, within the network cable (probably around the jack if anywhere), or possibly in the Ehternet switch/hub you are connecting to.

                      Your power supply is also probably a bit weak at supplying enough current of the 5-volt bus.


                      Comment













                      Working...
                      X