Can a virus hide in a PC's CMOS memory?

Can a virus hide in a PC's CMOS memory?

No. The CMOS RAM in which PC system information is stored and backed up
by batteries is accessible through the I/O ports and not directly
addressable. That is, in order to read its contents you have to use I/O
instructions rather than standard memory addressing techniques.
Therefore, anything stored in CMOS is not directly "in memory". Nothing
in a normal machine loads the data from CMOS and executes it, so a virus
that "hid" in CMOS RAM would still have to infect an executable object
of some kind in order to load and execute whatever had been written to
CMOS. A malicious virus can of course *alter* values in the CMOS as
part of its payload, but it can't spread through, or hide itself in, the
CMOS.

Further, most PCs have only 64 bytes of CMOS RAM and the use of the
first 48 bytes of this is predetermined by the IBM AT specification.
Several BIOS'es also use many of the "extra" bytes of CMOS to hold their
own, machine-specific settings. This means that anything that a virus
stores in CMOS can't be very large. A virus could use some of the
"surplus" CMOS RAM to hide a small part of its body (e.g. its payload,
counters, etc). Any executable code stored there, however, must first
be extracted to ordinary memory in order to be executed.

This issue should not be confused with whether a virus can *modify* the
contents of a PC's CMOS RAM. Of course viruses can, as this memory is
not specially protected (on normal PCs), so any program that knows how
to change CMOS contents can do so. Some viruses do fiddle with the
contents of CMOS RAM (mostly with ill-intent) and these have often been
incorrectly reported as "infecting CMOS" or "hiding in CMOS". An
example is the PC boot sector virus EXE_Bug, which changes CMOS settings
to indicate that no floppy drives are present

what is 41.exe ?/spyware/malware/virus

Associated Malware Groups

The unsafe files using this name are associated with the malware group:

* Cloaked Malware

File Behavior

41.EXE has been seen to perform the following behavior:

* Enables an In Process Object/Server - Common with DLL Injections
* Creation and Registration of a Browser Helper Object in Internet Explorer
* Adds a Registry Key (RUN) to auto start Programs on system start up
* This process creates other processes on disk
* Registers a Dynamic Link Library File
* This Process Deletes Other Processes From Disk
* Creates new folders in the file system
* Uses DNS to retrieve the IP address for web sites
* Executes a Process
* Writes to another Process's Virtual Memory (Process Hijacking)
* Can communicate with other computer systems using HTTP protocols
* Creates system tray popups, messages, errors and security warnings
* The Process is packed and/or encrypted using a software packing process
* Executes Processes stored in Temporary Folders
* Creates or uses a background service to access the Internet using HTTP protocols
* Injects code into other processes

41.EXE has been the subject of the following behavior:

* Created as a process on disk
* Executed as a Process
* Has code inserted into its Virtual Memory space by other programs
* Deleted as a process from disk
* Executed from Temporary Folders
* Terminated as a Process
* Executed by Internet Explorer

Country Of Origin

The filename 41.EXE was first seen on Oct 22 2007 in the following geographical regions of the Prevx community:

* India on Oct 22 2007
* Spain on Oct 30 2007
* China on Oct 30 2007
* on Aug 27 2008
* Canada on Sep 11 2008
* The United States on Sep 14 2008
* Brazil on Jan 20 2010

File Name Aliases

41.EXE can also use the following file names:

* ILAN213V41.EXE
* TMP63B1.TMP
* 41[1].EXE
* S4Q0
* 18467.EXE
* 90794102.TXT

Filesizes

The following file size has been seen:

* 169,472 bytes
* 11,599 bytes
* 153,764 bytes
* 163,773 bytes
* 444,416 bytes
* 90,653 bytes
* 273,513 bytes

File Type

The filename 41.EXE is used by multiple object types including executable programs,objects.
File Activity

One or more files with the name 41.EXE creates, deletes, copies or moves the following files and folders:

* Deletes c:\docume~1\user\locals~1\temp\nsh7.tmp
* Creates c:\docume~1\user\locals~1\temp\nsh9.tmp
* Deletes c:\docume~1\user\locals~1\temp\nsxB.tmp
* Creates c:\docume~1\user\locals~1\temp\nsxb.tmp\System.dll
* Creates c:\windows\system32\xdjrtecswiaartg.dll
* Creates c:\docume~1\user\locals~1\temp\nsxb.tmp\NSISdl.dll
* Creates c:\docume~1\user\locals~1\temp\activation_key
* Deletes c:\docume~1\user\locals~1\temp\activation_key
* Opens/modifes c:\autoexec.bat
* Creates c:\documents and settings\user\application data\Microsoft
* Creates c:\documents and settings\user\application data\microsoft\Crypto
* Creates c:\documents and settings\user\application data\microsoft\crypto\RSA
* Creates c:\documents and settings\user\application data\microsoft\crypto\rsa\S-1-5-21-1017937101-3376078148-572454927-1003
* Deletes c:\docume~1\user\locals~1\temp\nsxb.tmp\NSISdl.dll
* Deletes c:\docume~1\user\locals~1\temp\nsxb.tmp\System.dll
* Creates c:\docume~1\user\locals~1\temp\9597_appcompat.txt
* Creates c:\docume~1\user\locals~1\temp\19FF4.dmp

Network Activity

One or more files with the name 41.EXE performs the following network events:

* DNS Lookup85.92.152.44 mysidesearch.com

Website Activity

One or more files with the name 41.EXE interacts with the following web sites and pages. Web addresses have been deliberately modified to prevent unintentional use.

* TCP:127.0.0.1:1094 Port:17
* Port 80 IP:85.92.152.44
* Port 80 IP:85.92.157.141

lock the taskbar option not working?

it may some times caused due to the option has "greyout"

so to make it enable we should edit the registry

goto->start->run->regdit->

then HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\explorer

delete the locktaskbar key

Networking error 71

Error 71
1. Is someone connected as you? Been giving out your password?

2. Were you disconnected all of a sudden before this happens? You could be 'ghosted' on the server. The ISP can usually "bump" the 'ghost' off through radius.

How to fix Network error 20?

Error 20

1. Make sure the correct modem is selected.

2. Does the modem respond to diagnostics? It may need to be reinstalled.

3. Is RNAAPP loaded into memory after closing the dialer? If so try the RNAAPP fix.

4. Reinstall NCP/DUN/RAS.

Dial-Up Networking Errors(DUNS)

Windows 95, 98, Me, NT, 2000, XP, and Vista.

In later versions of operating systems (NT, 2000, XP and Vista) some of the errors can occur for connections other than traditional dial-up modem connections: they may occur with DSL and VPN (virtual private networking) connections that do not involve dial-up.

NOTE: Some solutions indicate to re-install DUNs and/or TCP/IP. See this Microsoft KB article for Win 95/98 instructions to Remove & Re-install DUNS & TCP/IP. Newer versions of Windows don't allow DUNS uninstall: see Reset DUNS (TCP/IP) in Windows 2000 & XP.

Windows Vista: Dialing directly from the 'Connect To' menu or other shortcuts will not display DUNs error codes - instead, particularly large and unhelpful dialog boxes are shown as detailed here. In order to see any DUNs error codes, you must dial from the 'Manage Network Connections' Window.

Connectoids. In many cases, DUNs Errors can be solved by correcting the properties for your dial-up networking connections.

ERROR 50 - The request is not supported.

600 - An operation is pending.

601 - The port handle is invalid.

602 - The port is already open.

603 - Caller's buffer is too small.

604 - Wrong information specified.

605 - Cannot set port information.

606 - The port is not connected.

607 - The event is invalid.

608 - The device does not exist.

609 - The device type does not exist.

610 - The buffer is invalid.

611 - The route is not available.

612 - The route is not allocated.

613 - Invalid compression specified.

614 - Out of buffers.

615 - The port was not found.

Network Cable Unplugged Errors in Windows

Network Cable Unplugged Errors in Windows

If your network is not functioning properly, you may see "A Network Cable Is Unplugged" messages appear repeatedly on the Windows desktop. Messages may pop up on the screen once every few days or even once every few minutes depending on the nature of the problem. This can occur even if you are using a WiFi wireless network. How can this problem be fixed?
-------------------------------------------------------------------------------------
Several possible causes of "A Network Cable Is Unplugged" messages exist. The error message appears on a computer when an installed Ethernet adapter is seeking to make a network connection.


Disable the Ethernet network adapter if you are not using it. This applies, for example, when running a WiFi home network with computers that have built-in Ethernet adapters. To disable the adapter, double-click the small Network Cable Unplugged error window and choose the Disable option.


Check both ends of the Ethernet cable connected to the adapter to ensure they are not loose.


Replace the Ethernet cable with a different one to verify the cable is not damaged.


Update the network adapter driver software from the manufacturer's Web site.


Change the Link Speed and Duplex settings (using Device Manager) to use "100 Mbps Full Duplex" or "10 Mbps Full Duplex" instead of Auto Detect.


Replace the Ethernet network adapter if it is a removable PCI or PCMCIA card. First remove and re-insert the existing adapter hardware to verify the card is connected properly. If necessary, also replace it with a different card.


The device your Ethernet adapter is connected to, such as a broadband modem or network router may be malfunctioning. Troubleshoot these devices as needed