TechSpot

Phantom Floppy Disk Player Hijacking CPU Cooling Fan

By Daniel Burkus
Feb 20, 2016
Post New Reply
  1. My PC seems to have had a virus infection which has been cleaned up. However, there is a residual matter that is causing problems (the PC crashes/shuts down suddenly), and Broni (from the Virus and Malware Removal Forum) suggested that I post this matter here in the Windows forum. I should mention that I am recovering from cataract surgery, so my eyesight is messed up -- better than it was before, of course (then I was totally blind in one eye and legally blind in the other), but I have no peripheral vision any more, so if I am not staring directly at something (like a line of text, or a display) I am no longer able to notice it if something changes.

    My PC is a Daokorea S19 (while from Pittsburgh, PA, I am living in South Korea now, hence the locally purchased model). The O/S is Windows 7 Ultimate, 32-bit (US version). I am including a photo of the PC because this question refers to a display (circled in red in the right-hand photo) which (used to) show the CPU's temperature and fan animations (along with an obnoxious beeping sound to warn whenever the CPU was getting hot).

    daokorea pc s19.jpg

    When the machine became infected, this display stopped lighting up, the alarm stopped (and so the CPU overheats and I guess this is what crashes the machine). Simultaneously with the loss of this function, an A: drive icon appeared in My Computer; however, the PC does not have a Floppy Disk Drive (and does not even have a place where such a drive could be installed). I assumed that the virus or whatever it was created a phantom drive in which to disguise itself.

    The first time I removed this phantom Floppy Drive via the device manager (first uninstalling the Floppy Disk Drive, and then uninstalling the Standard Floppy Disk Controller -- for some reason the order was important), the display (circled in red, above) lit up, showed the CPU temperature, with the alarm and fan becoming functional again. However, the next time the PC was restarted after being shut down, Windows reinstalled the drivers, and the phantom A: reappeared in My Computer. After that, though I can uninstall this non-existent hardware, the CPU display has never lit up again. And if I uninstall the hardware, the drivers are reinstalled the next time I start up Windows.

    The continuing failure of the CPU temperature monitor/overheating alarm/special cooling fan (this fan has a unique auditory signature, hence it is easy to recognize when it is on, and it has not been on since the brief period after I uninstalled the phantom Floppy Disk Drive and Floppy Disk Player for the first time, mentioned above) means that the PC can easily overheat and crash, which must not be good for the hard drives. If it is possible, I would like to resolve this issue. Unfortunately the PC was rebuilt in January (new main board, new graphics card, and so on) and Windows 7 reinstalled by a friend of mine, and apparently he did not think to make a restore point (which I only discovered after the symptoms of the infection started to appear -- this infection slipped through Windows Defender, Avast AV, SUPER Spyware, Malwarebytes, and Spybot, which scans I run daily to weekly, and I only became aware that something was wrong when the machine started shutting down with increasing frequency).

    I guess that is enough information for now. If anyone here might be able to help me, I would very much appreciate it. The machine shutting down without warning is making it very difficult for me to concentration on my translations, and so impacting everything else. Thank you all for your time. Please have a good day.

    Oh, I will be going out of town Monday morning, 2/22 (which would be Sunday evening in the USA), and should be back here sometime Saturday evening, 2/27. Thank you.

    -- Daniel M. Burkus
     
  2. Cycloid Torus

    Cycloid Torus TS Evangelist Posts: 1,657   +309

    Broni says you are clean. You had a recent rebuild so the machine is clean and I expect the thermal paste renewed and in the right place.

    Makes me want to focus on the phantom A: and why it keeps appearing. Is it hardware? BIOS reflecting 'hardware' incorrectly? Drivers reflecting 'hardware' incorrectly?

    Do you have manuals from motherboard and from case maker? Can you check wiring for the temp/fan bunch? Does it agree with manuals?

    Can you get into BIOS? Does the BIOS look good / right when you call it up? Is drive A: floppy 'disabled' in BIOS?

    Can you access motherboard maker's website? Do you have latest drivers and BIOS? Does this include drivers for the temp/fan bunch?
     
  3. Daniel Burkus

    Daniel Burkus TS Enthusiast Topic Starter Posts: 66

    Thank you for taking the time to reply. I am not a computer specialist, and am recovering from cataract surgery, so my eyesight is impaired. That said, the first appearance of this phantom A: drive correlates (precisely) with the commencement of the episodes of the PC shutting down (which have been explained as being due to excessively high CPU temperature). Furthermore, the first time I uninstalled the drivers (via Device Manager) for the Floppy Player, the display (circled in red in the above photo) came back to life, and the fan (which has a very distinct sound, which allows me to recognize when it is on -- it can not be ignored, actually) resumed the function of cooling the CPU when the temperature went up. However, the next time the PC was started up, Windows reinstalled the drivers, and the CPU temperature display remained dark. Subsequently uninstalling the drivers had no further effect: neither the CPU temperature display, nor the fan that cools the CPU, have returned to functionality, even briefly.

    I do not know how to open the BIOS, unfortunately, or where to check -- it is too many years since I did that kind of thing, and never with this PC.


    > You had a recent rebuild so the machine is clean and I expect the thermal paste renewed and in the right place.

    Honestly, I wouldn't know about whether the thermal paste was removed, or where it should be applied.


    > Makes me want to focus on the phantom A: and why it keeps appearing. Is it hardware? BIOS reflecting 'hardware' incorrectly? Drivers
    > reflecting 'hardware' incorrectly?

    There is no Floppy Drive, and the machine has no port into which such a drive could be installed. The phantom Floppy Drive was not present in My Computer until the episode -- the occasion two weeks ago or so when the PC started shutting down. So if it is due to the BIOS reflecting hardware incorrectly, then somehow the BIOS was modified at the time in question.


    > Do you have manuals from motherboard and from case maker? Can you check wiring for the temp/fan bunch? Does it agree with manuals?

    No. I did not buy the mother-board, the person who repaired the PC bought it. I do not know whether it was new or used.


    > Can you get into BIOS? Does the BIOS look good / right when you call it up? Is drive A: floppy 'disabled' in BIOS?

    I have never gone into the BIOS on this PC. Years ago I knew how to do that, but what I remember doing does not seem to work with this machine. I'm sorry. (I have not had to deal with BIOS issues for maybe 10 years.)


    > Can you access motherboard maker's website? Do you have latest drivers and BIOS? Does this include drivers for the temp/fan bunch?

    Actually, I do not know any of the details of the mother-board. The processor is an "AMD Athlon 64 x2 Dual Core Processor," but I do not know who made the mother-board. However, as I said, the PC worked perfectly for perhaps a month. Then suddenly these issues began, and I assumed that the machine had become infected with a virus or other malware. As I discussed with Broni, this may have been related to Tumblr spontaneously playing videos and the fact that the Adobe Flash Player was out of date, allowing the system to be infiltrated by malware: I can recall the PC "burping" as it were (occasionally windows like command prompt windows, sometimes white sometimes black flash for a fraction of a second on the desktop, mostly during start-up but occasionally at other times as well, though never for long enough for me to see what they are: this never happened before), and from that time it has been shutting down and neither the CPU temperature display, nor the CPU's fan, have turned on (except for the single episode the first time I uninstalled the Floppy Disk Drive, and then uninstalling the Standard Floppy Disk Controller). As I said, the shutting down seems to be directly connected to the appearance of the phantom A: drive (or, more specifically, to the disappearance of the CPU temperature display, which seems to be connected with the appearance of the A: drive).

    As I mentioned to Broni at the beginning, I have to go out of town today, and will be leaving for the airport in 3 hours. I should be back here Saturday evening (I am in South Korea now, and the difference is somewhere between 14 and 16 hours, I believe, depending on where you are based; so it will probably be Saturday morning where you are). If you can walk me through the process of finding the information you need, checking the BIOS and so forth, I will be happy to do so at that time. Here is the basic information about my PC:

    Basic Information about my PC.JPG

    Thank you very much for taking the time to help me deal with this. Please have a good week.

    -- Daniel M. Burkus
     
  4. Cycloid Torus

    Cycloid Torus TS Evangelist Posts: 1,657   +309

    Try http://www.belarc.com/free_download.html to get a full picture of your system. It will include some information you will want to keep private - so do not post it.

    Need to know motherboard maker, BIOS version & motherboard model and also case manufacturer if at all possible. The rest of it will tell you a lot about your system.
     
    Last edited: Feb 21, 2016
  5. Daniel Burkus

    Daniel Burkus TS Enthusiast Topic Starter Posts: 66

    I will meet the person who rebuilt the machine on my way to the airport. So I will try to get these details for you, and post them here on Saturday. Thank you for your help. Please have a good week.

    -- Daniel M. Burkus
     
  6. Daniel Burkus

    Daniel Burkus TS Enthusiast Topic Starter Posts: 66

    Sorry, I have been ill, and the issue that appears to be malware recurred (this will be explained in the next post).

    I hope this scan (generated by CPU-Z <http://www.cpuid.com/softwares/cpu-z.html> provides you with the information you need:

    CPU-Z (1).JPG CPU-Z (2).JPG CPU-Z (3).JPG CPU-Z (4).JPG CPU-Z (5).JPG CPU-Z (6).JPG CPU-Z (7).JPG
     
  7. Daniel Burkus

    Daniel Burkus TS Enthusiast Topic Starter Posts: 66

    I also kept a .txt of the scan, if you want me to post that data here for you.

    Now, as for the most recent issue, I will copy and paste what I sent to Broni (this is representative of all other events of this sort):

    ------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    If you have never used Tumblr, you may have difficulty understanding this. I was looking through the blogs I follow on Tumblr (which are mostly blogs that follow mine) and apparently one of them has been black listed (by the Korean government, from all indications) -- there is no way to know this has happened, so as to avoid it, and this blog I had been following for more than a year. At any rate, when I opened that blog, rather than opening its page, the blog opened in my "dashboard" (the page that shows the feeds from all of the blogs I follow), and when a blog does that it means the Korean government is inserting malware into my PC. Precisely why any given blog might be blacklisted is not clear: while that blog occasionally posted adult content, much worse blogs seem unaffected, so I have no idea what their criteria might be -- but it is probably completely arbitrary (their censor did not like something he or she saw). When I realized what was happening, I tried to shut Firefox down, but that never works. Anyway, the command prompts that I mentioned flashed and then the cooling system of my PC shut down again (which is supposed to make the CPU overheat and crash the PC). When this kind of malware attack first began to happen, Combofix was able to resolve it. But recently the malware prevents Combofix from loading completely. Running Emsisoft first allows Combofix to run next, and this combination restores the cooling system. Now whether it actually removes the malware, or simply interrupts its manifestation, I can not say -- I am not a technical expert. I might suspect that the malware is disguised as something else, and remains present (hence the command prompts that run randomly, as I explained, due to whatever it is that stimulates the malware -- sometimes when I am watching a CD from a disk, sometimes when I am reading news from a page with embedded report or large or extensive graphics, and so on: perhaps a spyware component). Apparently trying to open a blacklisted blog just triggers the malware into action.

    I have to suppose that this is a professionally-created malware, not something made by kids messing around with too much time on their hands, since it seems exceptionally well disguised (so none of the scans is picking up on the thing itself, just its manifestations). Again, when the cooling system is disrupted, Combofix disrupts whatever path is controlling this, and allows it to return to normal. (As I explained in the beginning, my PC has a display on the front of the case that shows CPU temperature, and the various cooling fans, with graphical representation of when they are on or off; and I have confirmed that it is accurate -- when it shows a fan running, the fan is actually running; and when the display is not working, the fans do not work either.) It is a way to control the behavior of the population by messing up their PC if they misbehave. As I said, I have written to Tumblr, because it seems that their security has been breached, but we will have to wait to see what they say. But, returning to the present, since nothing is showing up on any of the scan results, I do not know what, if any, resolution is possible, since it appears impossible to identify precisely what is going on.
    ------------------------------------------------------------------------------------------------------------------------------------------------------------------------

    Broni indicated that he believes my PC is not infected, and that this is a hardware issue:

    ------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    I've never heard of any software being able to fix hardware issue.

    Whatever your computer issues are now they're not malware related.
    Your computer is clean.

    In this forum, we make sure, your computer is free of malware and your computer is clean :)
    Because the access to malware forum is very limited, your best option is to create new topic about your current issue, at Windows section.
    You'll get more attention.
    ------------------------------------------------------------------------------------------------------------------------------------------------------------------------

    Nevertheless:

    1) the phantom A: drive appeared the first time this occurred, and,

    2) the issue of the cooling system shutting down clearly recurs every time a suspicious blog is opened, as described in my comments (above). (As I said, the latest incident occurred when I attempted to open a blog that I have followed for more than a year -- heretofore without incident, of course.) Again, the cooling system shutting down is demonstrated by the display either turning off completely, or showing a garbled image (this happened one time; every other time the display was simply black).

    In the beginning, to repeat myself, the issue was resolved by running Combofix (which suggests, at least to me, that this is a software/malware issue, not a hardware issue as Broni maintains -- the cooling system is not autonomous, it is controlled by the operating system reacting to the elevated CPU temperature). When this happened a week ago (and again later in the week), however, Combofix would not load completely; I found that running Emsisoft Emergency Kit (which discovered a registry entry), while not resolving the issue with the cooling system, allowed Combofix to load completely, run, remove or disrupt whatever process(es) may have been involved, and so allows the cooling system to return to normal. The phantom A: drive no longer appears in My Computer, but this is because I disabled the driver to the floppy disk controller in Device Manager. (If this driver is allowed to function, then the phantom floppy disk player reappears in My Computer.) This problem has recurred 7 or 8 times, always in association with a Tumblr blog opening through my dashboard in a new tab, rather than opening in its own page in the tab, and the past several instances I have verified the process observationally: the hijacked page begins to open, and then, even before it is finished loading completely, the display that monitors CPU temperature promptly shuts down and the fans stop working. And the function of the cooling system can be restored only by running Combofix (now subsequent to running the Emsisoft Emergency Kit).

    I can think of no other details that I can provide at this time. Any suggestions that you may have would be very deeply appreciated. (As I mentioned, not using Tumblr is really not an option, since my blog -- in which I publish my translations -- is on that site and has been since the beginning 4 years ago; and it would be extremely difficult to move everything anywhere else, logistically and technically. Granted, I suppose I could forego the amusement of looking at the blogs of people who follow my own; but I would prefer not to have to do so, since there is precious little else available by way of diversion around here -- I am currently living in the deep countryside in South Korea, about an hour and a half from Seoul.)

    Thank you very much for your time.

    -- Daniel M. Burkus
     
  8. Cycloid Torus

    Cycloid Torus TS Evangelist Posts: 1,657   +309

    Last edited: Apr 3, 2016
  9. Daniel Burkus

    Daniel Burkus TS Enthusiast Topic Starter Posts: 66

    Thank you, and sorry to be late in getting back to you. I had a 5-part paper that I was preparing for publication. I am downloading the "Data Sheet" now.

    > You should consider a cloud based back up solution like https://www.idrive.com/ (free up to 5GB ).

    I will look into that.

    > You should consider a full 'image' backup since you are currently 'clean'.

    I acquired the program to make one yesterday.

    > Is there some reason you are using 32bit Windows? You are only able to access 1/2 of your RAM.

    Because, not being a tech person, I had no idea about such things. At any rate, that is the O/S that is installed, and I would rather not go out and buy a new version of Windows 7. Especially in my present jobless situation.

    Thank you, again, for your advice. I will see if I can figure out the Bios manual; if not, perhaps I will ask here.

    -- Daniel M. Burkus
     
  10. Daniel Burkus

    Daniel Burkus TS Enthusiast Topic Starter Posts: 66

    Sorry, the download on the page you indicated seems to be some kind of catalog, certainly not a user's manual (or at least none that I have ever seen). As for anything else, such as on line support -- where are the names/numbers of the components?

    Apparently I need to restate that I am recovering from cataract surgery, and have difficult seeing, especially things that require peripheral sight, like scanning through lists of things.

    -- Daniel M. Burkus
     
  11. Cycloid Torus

    Cycloid Torus TS Evangelist Posts: 1,657   +309

  12. Daniel Burkus

    Daniel Burkus TS Enthusiast Topic Starter Posts: 66

    Thank you. I found the information that was needed. Unfortunately, I am not having any luck getting into the Bios settings. I have read several suggestions on line (there is nothing in the manual that I can see), but none of them work. And the first screen that appears when I turn on the PC does not say what to push to get into Bios -- and I paused it long enough (with the Pause/Break button) to read the whole screen -- and the next screen simply gives the CPU and PC temperatures and such data, and then Windows loads.

    Meanwhile, I wrote to Tumblr, and the issue with malware seems to have stopped, so hopefully there will be no further incidents.

    Thank you for your help.

    -- Daniel M. Burkus
     
  13. Cycloid Torus

    Cycloid Torus TS Evangelist Posts: 1,657   +309

  14. Daniel Burkus

    Daniel Burkus TS Enthusiast Topic Starter Posts: 66

    Thank you for the suggestion (I could not find anything in the manual, and I think I read it carefully). I have to go out now, but will try it when I return. Have a good day.

    -- Daniel M. Burkus
     
  15. Daniel Burkus

    Daniel Burkus TS Enthusiast Topic Starter Posts: 66

    Sorry for the delay in getting back to you. I finally had time to mess around with this, and hitting delete solved the case. Once I got into BIOS, removing the A: drive was easily done. So, with this (and whatever it was that Tumblr did) I guess you can mark this one "case solved." Thank you very much for your patience and help. Please have a good weekend.

    -- Daniel M. Burkus
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...