I got wacked real good x 3 (SOLVED)

For discussions about security.
Message
Author
User avatar
obxjerry
Posts: 390
Joined: Fri 29 Jan 2010, 22:34
Location: Louisville, Kentucky

I got wacked real good x 3 (SOLVED)

#1 Post by obxjerry »

I'm was getting away from the pay to play OS anyway. Dual booting, keeping the old (what could it hurt) but using Puppy 95% of the time. I got a real kick in the pants to move me along.

My son's computer crashed, I had him bring it over, I looked at it and I was sure it was a hardware problem. I was wrong and in a matter of minutes had infected 2 of our computers. From what I understand, anything I do can kill, cure or do nothing and there's a good chance they're all dead anyway. FUD big time. The only way out is getting out the credit card.

The lesson learned is never use that other OS again.
Last edited by obxjerry on Thu 18 Mar 2010, 23:09, edited 1 time in total.

User avatar
prehistoric
Posts: 1744
Joined: Tue 23 Oct 2007, 17:34

lesson learned and fixes

#2 Post by prehistoric »

Hi obxjerry,

While I share your opinion in configuring machines for my own use, (the machine I'm on now sticks its tongue out at you if you choose the W*****s boot entry,) I still try to help people tied to that other OS world by organizations. I typically boot Puppy from CD on a malfunctioning machine to see if there are hardware problems before I assume I'm dealing with software, unless I recognize the characteristics of a particular infection. (Recognition is getting more probable for me with experience.)

Nearly always, I take a known good machine along for comparison, in case there is a network problem. I never connect this machine to a suspect machine. The principle is to maintain an "air gap" between suspected-infected and known-clean machines. Flash drives connected to a running suspect system should be considered suspect until proven innocent. (It helps to imagine you are dealing with the biological Ebola virus in avoiding contamination.)

If you take time in advance, you can use a tool like Spybot Search & Destroy to create a W*****s boot disk which scans for malware on boot up from a CD. There are also other tools for this.

With huge hard drives on modern machines, it is now good practice to create a partition with a complete restore image of the system you got from the factory. I've used the Comodo (free) back-up and restore software to create my own restore image on machines which don't have this already. (It helps to check that you can actually get this system onto the regular C: partition if that system is completely inoperable.) I also like to have a complete restore on an external drive. (Once again, protected by an "air gap". )

Once people realize this investment of time, energy and intellect is required to safely and reliably use that other OS, it becomes easier to talk about using something else.

cthisbear
Posts: 4422
Joined: Sun 29 Jan 2006, 22:07
Location: Sydney Australia

#3 Post by cthisbear »

You can boot Hirens etc and run a scan.
But try the Falcon first....below.

Also you can run Teamviewer through these boot cds.
No risk to people helping you out getting infected.

http://www.teamviewer.com/index.aspx

Use Run...not install

//////////////

Here's some tips...my posts.

http://murga-linux.com/puppy/viewtopic. ... 302#376302

Look at all the links too.

//////////

Shardana Antivirus Rescue Disk Utility.

http://forums.whirlpool.net.au/forum-re ... 60775&p=13

///////////

Falcons Rescue cd >>>>>>>>>>Excellent

Using ERD you can stop the startups, go back with System Restore,
off the cd.
Try the System Restore first....if your comp boots then make
sure that you turn it off and run your scans.
You can turn it back on later...2% is enough...not 12%

Malwarebytes....rename .exe as ,com to defeat smarty viruses.
Latest Whirlpool tip.
Hitman Pro...quick scan on the net.
Has a onetime code to fix viruses.

http://thepiratebay.org/torrent/5283510 ... s_9.9__ERD

has ERD Commander, XP and Vista versions
which may well get you fixed easily.
Latest release has Konboot and Hirens 9.9.

ERD was made by the Systems Internals team
who fixed XP before MS could do a fix.

Microsoft had to buy them out and give them a job.

////////

http://forums.whirlpool.net.au/forum-re ... 349346&p=3

Chris.
Last edited by cthisbear on Mon 08 Mar 2010, 13:43, edited 1 time in total.

User avatar
obxjerry
Posts: 390
Joined: Fri 29 Jan 2010, 22:34
Location: Louisville, Kentucky

#4 Post by obxjerry »

Hi folks,

What a wonderful world you live in, where a computer with a virus will boot from cd. :) I've put 2 of the machines in mothballs in case running them would make them more infected. The one I am working with will only boot from the floppy drive. I assume the others are the same. I'm trying to get a handle on whether I'm seeing the tip of the iceberg or the cover on the book. First and always is to contain the virus.

The point I was trying to make was most people in my position will buy a brand new computer, more AV software and always feel so vulnerable. I found my son a computer comparable to his for $35 on Craigslist. It had a Linux distro on it and I added Puppy hoping one of them would take root with him. As he was leaving with it he was saying he had talked to a friend that said he would install that other OS for him. Since he has found out his computer didn't die of old age and it took 2 more with it he's changed his tune.

In the end I'll probably buy a couple more old desktops, the ones too slow for anybody to want. Hopefully and likely I've had my last virus. I know there's files and pictures we didn't save. One of the computers we had recently gone through since I partitioned to install Puppy and we'd been warned data could be lost. The other I was trying to make space on the hard drive to add Puppy. I know I don't know what 90% of that stuff is. Puppy takes up less than 400 mb on my hard drive and doesn't grow without my say so.

Thanks for the advice and recommendations. Have you any knowledge of a virus that is keeping computers from booting to hard drive and cd? I can imagine the landfills filling as we speak.

Take care

User avatar
obxjerry
Posts: 390
Joined: Fri 29 Jan 2010, 22:34
Location: Louisville, Kentucky

#5 Post by obxjerry »

cthisbear, I took the time to go through your post and click the links. You go the extra mile. Unfortunately, I have very little to work with.

When I say It doesn't boot I need to clarify. The hard drive doesn't turn. The cd turns briefly and rarely but never at boot. When I first started with it the tray wouldn't even open. I can change boot sequence, cd is set to boot first.

Normal start gets to XP splash screen and a blink of a blue screen with text (too fast to pick out a word) then reboot. Safe mode is scrolling text, hold, reboot.

I have found very little online. I have posted to a virus forum, no replies. I did see where someone said a RAM stick removed from an infected machine could completely destroy a computer it was put in. Scary stuff indeed.

snowshaker
Posts: 23
Joined: Sun 24 Aug 2008, 15:58
Location: Midwesterner running Slacko Puppy 5.3

#6 Post by snowshaker »

If you got pics and stuff on the old drives, get a $20 USB enclosure and mount the drive. Then read it with another machine and save off what you need. Caution. Don't use a windows PC. Boot up Puppy or Linux or use a MAC. If the drive has an autorun.inf virus, it will jump right onto your good windows PC. Maybe that's what happened to you already?

As for viruses spreading via RAM sticks, that's just urban legend. RAM loses its data when powered down. Maybe your article was speaking of the BIOS memory. If you could stick a virus in there, it stays with the chip. What could it do? Well, I have read where one guy claim his BIOS shows his picture when the PC boots, so that could be one way for a virus to keep you from booting into CD.

More likely though that you just have a bad CD drive, given that its tray was stuck.

Sylvander
Posts: 4416
Joined: Mon 15 Dec 2008, 11:06
Location: West Lothian, Scotland, UK

#7 Post by Sylvander »

1. "The one I am working with will only boot from the floppy drive"
(a) So make a "Smart Boot Manager" [SBM] bootable floppy, and use the menu presented by that to choose to boot some other drive such as the optical drive.
The bootable optical disk needs to be seen by the BIOS [LED blinking starts when you close the drawer with the disk in place, then ceases] before you hit <Enter> with the optical highlighted.
If an attempt fails you'll see presented a big red warning window, but it's then easy to try again [and again] by hitting <Enter> each time.
AND...

(b) You should also attempt to set the BIOS boot menu order to:
FDD
CD-ROM
HDD
If you then want a particular drive to be booted, make sure there is a bootable disk in place there, and no bootable disk in the drives above it in the list.
AND/OR...

(c) Try resetting to the BIOS's default configurations...
Perhaps a virus changed the config settings.
Then do (b) above once again.

(d) It may even be that the virus changed the BIOS ROM, so that you need to "Flash the BIOS".
Or if the virus did that [OUCH! :( ]...
Swap in a new BIOS ROM chip.

2. "What a wonderful world you live in, where a computer with a virus will boot from cd"
Most of us live in that world.
If your PC won't boot a bootable CD, then you need to begin looking for the culprit in either the hardware or the BIOS.
[config settings, or BIOS ROM?]
e.g. Try re-setting the BIOS config settings to the defaults.

3. "most people in my position will buy a brand new computer"
NO WAY!
I've NEVER seen that being necessary.

User avatar
obxjerry
Posts: 390
Joined: Fri 29 Jan 2010, 22:34
Location: Louisville, Kentucky

#8 Post by obxjerry »

I know this may be hard to believe but I really didn't post here to back door ask for help. This is a Linux website and I don't have a Linux problem.

Nevertheless, I really appreciate the help. I have a habit of replying to what is written when I read it so I haven't implemented anything yet. The SBM floppy sounds like just what I need. I think I spread the virus with floppy disks but I'll sacrifice one more. (I did not boot a healthy computer from an infected floppy.)

It goes without saying, you don't realize all the little things you had until you lose a hard drive. I was thinking I might try transplanting the hard drives into a Linux machine and reading them that way.

Please don't take this as me being snarky. I really appreciate you guys starting with the basics. Most people won't begin with the basic stuff.

BIOS names the HD and the CD drive and will stay set to boot the CD drive first, second and third. It still won't boot. I'm thinking boot sector, MBR.

Once bitten, twice wary, I'm over assuming hardware problems. I know I have 2 CD drives that won't boot.

I know a stick of RAM can't hold data but, the urban legend has me afraid to take a chance. Also I've seen flashing the BIOS chip can go wrong so I haven't done that yet.

I'm hoping I can identify this virus first and act accordingly from there.

I will agree that it is rare that a computer is a total loss, I live in a city that has a facility for collection of unwanted electronics. It is a big building with hundreds of complete computers. Big business thrives on people tossing the old and buying new. It happens a lot. I may be wrong but I think if I took one of my machines to a pro they would attempt to retrieve some data and try to sell me a new computer.

Thanks again

User avatar
8-bit
Posts: 3406
Joined: Wed 04 Apr 2007, 03:37
Location: Oregon

#9 Post by 8-bit »

If they are desktop PCs, here is something to try to rule out the hard drive for the failure to boot from CD.
Disconnect the hard drive, power off of course, and then set up BIOS to boot from the CD and try that.
If the PC boots, Then the problem is that the hard drive initilization code got overwritten If that is possible.
If the CD does not boot, then the BIOS may be corrupted.

User avatar
Aitch
Posts: 6518
Joined: Wed 04 Apr 2007, 15:57
Location: Chatham, Kent, UK

#10 Post by Aitch »

snowshaker wrote:As for viruses spreading via RAM sticks, that's just urban legend. RAM loses its data when powered down. Maybe your article was speaking of the BIOS memory. If you could stick a virus in there, it stays with the chip. What could it do? Well, I have read where one guy claim his BIOS shows his picture when the PC boots, so that could be one way for a virus to keep you from booting into CD.
Whilst I agree ram dies without power refresh cycles, most likely what was meant was flashdrives/pendrives/Keysticks, or some other name for a file transfer USB storage device

They most definitely WILL transfer any number of viruses & as prehistoric said, consider them to have ebola, if transferring to another windoze box

obxjerry

Yes, this is a linux site and we're used to helping whether by the front or backdoor :wink:

My suggestion, is to try a PuppyCD as a live boot device, as a linux boot setup it is completely unaffected by ebola or any other virus!

You could then mount your existing H/D and copy any pics/docs you need to save to an external flashdrive or USB H/D or even burn to CD

....but you MUST run a recently updated virus scan as soon as you put the drive on any other windoze box, before copying them to that setup

Tip: emailing is normally scanned for virus, so you could email them to yourself....if there aren't too many :wink:

Chris's (cthisbear's) tips for dealing with viruses is probably one the best around, though if the virus has affected the boot sector of the drive it may need reformatting & re-installing an OS, after saving your data, as a safe, simple way forward
There are utilities, like TRK/testdisk, which can repair a damaged drive, but it takes some skill
http://trinityhome.org/Home/index.php?w ... ront_id=12

see virusscan news here
http://trinityhome.org/Home/blog.php?front_id=15
testdisk info here
http://www.cgsecurity.org/wiki/TestDisk

Best of Luck

Aitch :)

User avatar
obxjerry
Posts: 390
Joined: Fri 29 Jan 2010, 22:34
Location: Louisville, Kentucky

#11 Post by obxjerry »

You people are the best. You restore my faith in my fellow man.

8-bit, I've tried unplugging the hard drive and taking out the CMOS battery several times.

I know it's hard to believe anyone would say RAM could spread a virus and even harder to believe that anyone would believe it. The specifics were an infected machine with 3 sticks of RAM gave one apiece to 3 healthy machines. Only one of them got the virus. I know there has to be a logical explanation. Nobody would believe that, unless they just got wacked real good x 3. Hey I'm not sure I trust my Puppy CD-R since it's been in there. I do have 6 floppies and a 16 gig flash drive in quarantine.

I'm waiting to get with my wife so we can agree on a floppy that can be overwritten with SMB. One step at a time.

User avatar
Aitch
Posts: 6518
Joined: Wed 04 Apr 2007, 15:57
Location: Chatham, Kent, UK

#12 Post by Aitch »

Only one of them got the virus. I know there has to be a logical explanation. Nobody would believe that, unless they just got wacked real good x 3.
Sorry mate - there has to be another reason, & I suspect the PC had a virus before the ram was transferred, or some other thing has happened

RAM means random access memory, & can have timings from around 70ns to as low as 5ms, and MUST be "refreshed'' by pulses of power in order to stay active

http://en.kioskea.net/contents/pc/ram.php3

HOWEVER, once power is removed the cells, memory capability evaporates, so no virus can possibly transfer to another PC
- you just couldn't move them quickly enough

Think again

I suspect your use of firewalls and antivirus/antispyware to be below par on all your PCs

Move to linux and forget it :wink:

Aitch :)

User avatar
prehistoric
Posts: 1744
Joined: Tue 23 Oct 2007, 17:34

nvram & BIOS

#13 Post by prehistoric »

It now sounds like you got clobbered by malware that corrupts nvram or BIOS flash memory. Your first post didn't contain the clues I was looking for.

Having three machines develop the same "hardware" problems is highly suspicious, though I don't for a minute believe it was transmitted by RAM. Try to clear nvram with the jumper on the motherboard. Using a boot floppy to get further is the next step if this fails to resolve problems. (I still carry one in my tool kit, for those old machines which have floppies. In fact, I also have an ancient Tom's Root/Boot floppy with an entire OS I can use for troubleshooting.) This will get you to the point where it is possible to reflash the BIOS, if that is necessary.

While the code that would cause this is extremely malicious, it is unlikely to be commercial malware. So far, we don't see how anyone is making money. I'm betting it is not very sophisticated. Simply setting PCI latency to an incorrect value can cause IDE controllers to fail. This could affect both the hard drive and CD.

If you do turn up something which appears sophisticated, or produces a financial gain for someone, by all means report it to someone trustworthy who specializes in tracking malware. Many notorious pieces of malware could have been stopped early if people affected had reported failed experiments by malware authors. Computer criminals do regularly make mistakes. Here's a relevant item from today's news.

Sylvander
Posts: 4416
Joined: Mon 15 Dec 2008, 11:06
Location: West Lothian, Scotland, UK

#14 Post by Sylvander »

My thoughts:
1. Your PC's POST is completing OK. [A good sign]

2. The BIOS then attempts to find a drive to boot, and that's where the problem is.
(a) The BIOS uses its boot menu to tell it which order to look for a bootable disk/drive.
It should boot the 1st bootable disk/drive it finds to be in a functional condition.

(b) It finds and boots a floppy just fine.
Is the FDD the 1st in the list or not?
If not the 1st...
e.g. If the optical comes before it, why is the optical being skipped?
-----------------------------------------------------------------------
(c) You say you tried 3 good opticals, and none booted a good [bootable] disk.
Remember, the optical disk MUST BE BOOTABLE!
Or it will be skipped!
The blinking of the optical LED [after you close the drawer, with the SBM menu on-screen?] tells you that the BIOS is attempting to read the disk, and when it succeeds, the blinking will stop.

(d) Is the Controller [to which the optical is connected] configured OFF in the BIOS Setup?
[Or is the controller faulty? Or the connector faulty?]
Is the optical drive [and HDD also] shown in the BIOS Setup as being detected?
-----------------------------------------------------------------------
(e) If you don't provide any bootable floppy or optical...
The BIOS aught to look for a bootable HDD.
Any sign that it does that?
Any warning [provided by the MBR] that [for example] no bootable disk was found?

Bligh
Posts: 480
Joined: Sun 08 Jan 2006, 11:05
Location: California

#15 Post by Bligh »

Interesting issue, and a good read, thanks for sharing it.
Cheers

User avatar
technosaurus
Posts: 4853
Joined: Mon 19 May 2008, 01:24
Location: Blue Springs, MO
Contact:

#16 Post by technosaurus »

Barry has recently posted some stuff on his blog for flashing the BIOS using freedos and some other utils... fortunately his usage was just to fix minor hardware compatibility issues with the gecko edubook

http://bkhome.org/blog/?viewDetailed=01400
Check out my [url=https://github.com/technosaurus]github repositories[/url]. I may eventually get around to updating my [url=http://bashismal.blogspot.com]blogspot[/url].

User avatar
obxjerry
Posts: 390
Joined: Fri 29 Jan 2010, 22:34
Location: Louisville, Kentucky

#17 Post by obxjerry »

OK, I've gone from looking for leads to having to chose my next move, great improvement. I tried SBM but it didn't boot, Like most people working with floppy disks is a distant memory. I'm thinking I should have done more than copy the download to floppy. I had trouble accessing the manual but I have it now. It's hard when you're working with your third and fourth string computers

CMOS lists IDE primary master as Maxtor 2RO10 H1 and IDE secondary master as CD-ROM 52x/AKH. In BIOS sequence they're HDD and CD-ROM. The CD drive has a Puppy CD that has always booted in the past. Messing with BIOS is new territory for me so I'll need baby steps on that.

It's confession time. I see 3 possible ways the computers got infected. First, they all caught it in the wild.

Second, my son brought his infected tower. I connected and disconnected it in one of my systems several times and, without thinking, I connected it to our network. The second computer I discovered with the virus is the one that was out when his was in. The two could not have been connected at the same time.

The third and I think most likely, I spread the virus with floppies. His computer was running XP. I burned a start disk on our XP computer. His said it couldn't find the COMMAND.COM file. I put it back into ours, searched for the the file, didn't find it, so I burned it again. Now his does boot to A command prompt. I didn't boot our computer with the floppy. I know that's a no-no. I thought I was safe as long as I didn't boot up from the floppy.

When he brought his computer it had a Windows 98 startup disk in it. The computer that his was taking the place of is a Puppy and ME dual boot. I'm thinking ME burns the same startup disk as 98 so I swapped it back in and burned a startup disk over that disk.

In addition to those floppies I have 2 floppies that get Basiclinux 1.8 running. I'm sure more can be done with these tools than I know how to do.

I'm thinking if the virus is carried on the floppies it should be able to be found there. Is that a possibility?

No memory sticks have been swapped. I was thinking ahead. If the computers were beyond repair, what could I salvage? In my researching viruses on line, I saw the bit about RAM not being 100.00% safe and I passed that on.

Since there has been no RAM switch I'm thinking there is no possibility of a CL latency problem. Am I right?

I don't have 3 opticals connected. In my desperation to get the CD drive to boot I made it first, second and third on the boot sequence. Of course that didn't help.

Honestly, I don't know what the symptoms were on the second of our computers to get the virus.

The third, I had caught up all of the XP updates, ran an Avast scan, downloaded Kaspersky Rescue Disk for the other computers and was running it on that one. It booted fine. I set it to scan the C drive (hard drive). It saw the hard drive as D. It scanned a couple of hours getting about half way through and froze. I restarted it, It ran a couple of hours making it a little further and froze again. Then it wouldn't boot so I shut it down.

We have been watching our financial accounts and changing passwords. Nothing sinister so far. We didn't have firewalls, don't allow file sharing and were running Avast free edition. It worked up until now. Using wireless I see 2 to 4 networks with no security at all so there are worse than me.

I realize all concerned are anxious to get to the bottom of this. Unfortunately, my time has limits. This may take a while.

Thanks as always

User avatar
obxjerry
Posts: 390
Joined: Fri 29 Jan 2010, 22:34
Location: Louisville, Kentucky

#18 Post by obxjerry »

Sorry Double post

amigo
Posts: 2629
Joined: Mon 02 Apr 2007, 06:52

#19 Post by amigo »

You need to 'burn' the floppy using 'dd', not simply copy the file to the floppy.

dd if=floppy.img of /dev/fd0 bs=512

User avatar
prehistoric
Posts: 1744
Joined: Tue 23 Oct 2007, 17:34

creating floppy from image file

#20 Post by prehistoric »

What amigo means is that, under Linux, you need to open a terminal (as root) and use the command:

Code: Select all

dd if=floppy.img of=/dev/fd0 bs=512
to create the SMB boot floppy. On most systems the block size defaults to 512 anyway.

We're assuming you extracted the img file from the zip archive first.

You want to be careful with dd because it will do exactly what you tell it, even if you tell it to destroy a hard-drive filesystem. It writes to the raw device.

If you have a W*****s system running, you can create the boot floppy by downloading and running an exe file which does the writing for you.

Your copy operation merely placed data inside an existing file system on the floppy. It did not create the parts of the file system needed to make a bootable diskette.

Once you get a bootable floppy, you will need to learn a little bit about the program. Exactly what you do with it will depend on exactly what configuration you have, and which things are working. Learning to do this in a situation like yours is awkward. It is much easier to learn on a system without serious problems before you venture into unfamiliar territory.

Post Reply