Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Sat 25 Oct 2014, 11:00
All times are UTC - 4
 Forum index » Off-Topic Area » Security
I got wacked real good x 3 (SOLVED)
Post_new_topic   Reply_to_topic View_previous_topic :: View_next_topic
Page 5 of 8 Posts_count   Goto page: Previous 1, 2, 3, 4, 5, 6, 7, 8 Next
Author Message
Aitch


Joined: 04 Apr 2007
Posts: 6825
Location: Chatham, Kent, UK

PostPosted: Mon 08 Mar 2010, 11:40    Post_subject:  

You/others may find this useful, too

Quote:
Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore. Thus it is possible to:

* repair a damaged system,
* rescue data,
* scan the system for virus infections.

Just double-click on the rescue system package to burn it to a CD/DVD. You can then use this CD/DVD to boot your computer.


http://www.free-av.com/en/tools/12/avira_antivir_rescue_system.html

or maybe too many cooks? Laughing

Aitch Smile
Back to top
View user's profile Send_private_message 
obxjerry


Joined: 29 Jan 2010
Posts: 394
Location: Louisville, Kentucky

PostPosted: Mon 08 Mar 2010, 12:47    Post_subject:  

First, the good news. I learned how to and ran my first md5 checksum and they matched. My EBCD061P.ISO file says it has 6334054 bytes. I hope that will make a 60.4mb copy. Sylvander when you said I wasn't an expert I'll bet you didn't know how much you were understating the fact.

Aitch, don't you worry about too many cooks. I need all the help I can get. I talked to my wife. It seems formating the hard drives isn't as good an option as I thought.

Until I hear something else I'm headed down the EBCD path. I'll try something else if that doesn't work.

As always you have my thanks.

Jerry
Back to top
View user's profile Send_private_message 
prehistoric


Joined: 23 Oct 2007
Posts: 1301

PostPosted: Mon 08 Mar 2010, 12:54    Post_subject: recovering data without spreading malware  

While we seem to be on the road to recovery here, there are some loose ends left. You still have three machines with suspect hard drives, several flash drives which may have been infected, and a number of floppies very likely to be infected. The malware doesn't appear to be sophisticated, but it is malicious.

You have an easy solution for data storage which has no data you want to preserve, format the medium and start over. This is likely to be the case for those floppies. I'm assuming your wife told you about data she wants preserved on those machines.

Where you want to preserve data, you should avoid copying it from suspect media using Windows -- the malware is designed to use features of Windows to propagate itself. My advice is to get Puppy running on a machine which can read those media, mount them and copy data which is personally meaningful to you to clean media.

Do this even if you expect to use malware removal tools to clean those media; it is always possible for things to go wrong when dealing with malicious programs. If anything does go wrong, you will have your most meaningful data safe, all you will have to replace is commercial software, etc. Failure may cost you some time and money, but nothing irreplaceable.

When you have saved those things you want to preserve, consider the time and effort of cleaning the media versus the time and effort of starting fresh without worries. In many cases, you will decide to nuke the remaining data by reformatting.

Always keep track mentally of those things which remain suspect. If keeping a mental list is unreliable, you may want to keep a list on paper. I have the habit of placing suspect items in a separate bag or box while I am working, so I am never in doubt about which items need to be checked before they can be considered clean.

When you run a scan on suspect media, make sure you are working from a known-good system with the latest version of the scanning software and the latest updates to malware definitions. In the last year, I have seen a new crop of malware which specifically targets popular anti-virus tools.

Malware which pretends to be a malware-removal tool has been around for years. Know your supplier, and check that you got the correct tool from their site, not a fake tool from a site spoofing theirs. There should be posted checksums for tools you download. Check that you actually got what they are publicly displaying.

Finally, when the crisis is over, and you are running a small system where you have a pretty good idea what is going on, remember to turn off the paranoia. Your family will thank me for this suggestion. Wink
Back to top
View user's profile Send_private_message 
Aitch


Joined: 04 Apr 2007
Posts: 6825
Location: Chatham, Kent, UK

PostPosted: Mon 08 Mar 2010, 14:11    Post_subject:  

2nd that, prehistoric

....and if you've got awhile, it might not be a bad idea to re-read the thread from the start, as there maybe some things you overlooked in your earlier flustered state of being.....you seem more stable now, even if the PCs aren't yet, [if that doesn't sound too unkind?]

Aitch Smile
Back to top
View user's profile Send_private_message 
Sylvander

Joined: 15 Dec 2008
Posts: 3463
Location: West Lothian, Scotland, UK

PostPosted: Mon 08 Mar 2010, 15:17    Post_subject:  

1. I burned the Avira rescue disk, but couldn't manage to get a good display on my monitor; just a scrambled screen no matter what display settings I chose. Sad

Anyone know what I may be doing wrong?

2.
(a) By-the-way, this [version-1] EBCD cannot work with the contents of NTFS partition file systems.
This limitation only applies to tools that work with [e.g. read/write/manipulate] file systems.
Works with earlier systems = FAT32 etc.
The prog to make the floppy is OK of course, but [for example] MS Scandisk [GREAT prog] will only scan FAT[32], not NTFS.
The newer version-2 that isn't free CAN access NTFS, but has very limited functionality I believe.

(b) Don't get afrighted by the white text on a black screen at the 1st menu.
Just hit <Enter> [and make a couple of suitable config choices] to go to the 2nd menu where there is a much nicer colorful GUI, with a mouse cursor if I remember right.
Back to top
View user's profile Send_private_message 
Aitch


Joined: 04 Apr 2007
Posts: 6825
Location: Chatham, Kent, UK

PostPosted: Mon 08 Mar 2010, 17:35    Post_subject:  

Sylvander

Maybe you burned it too fast? - or a bad d/l?
I don't know if it uses xorg or xvesa, assuming its a linux OS
If its DOS, it should use the same default one M$ uses, and should give at least a basic graphics capability unless you have a wild Nvidia or ATI card?

Perhaps ask on Avira's forum?

http://forum.avira.com/wbb/index.php?page=Thread&postID=711157

Aitch Smile
Back to top
View user's profile Send_private_message 
prehistoric


Joined: 23 Oct 2007
Posts: 1301

PostPosted: Mon 08 Mar 2010, 18:46    Post_subject: Avira tools  

I've used rescue systems made with Spybot S&D in the past. These require you to make them on a good Windows system, presumably before the crisis. I haven't tried Avira before. Looking at their forum, I'd say you aren't the only person to have trouble with video.

I haven't suceeded in burning that Avira CD. Part of the problem is my general problem with doing anything with Windows: find a working Windoze machine; wait for it to download and install all sorts of things which have changed since the last time I ran Windows; find the external CD burner; find the power block for the CD burner; wait for Windows to realize it already knows about the device; run CD burn program by double-clicking; tell it where to find the CD burner, etc.

In the current instance, I discovered the battery on one laptop had died since I last ran Windoze, while the power brick for it stayed behind at my last field location. This started me looking for the external drive for my netbook with Windows.

When I get all these things together, the program hangs for some unknown reason at various places during the burn, creating coasters.

Is there a way to find the image file it is burning, get a checksum to see if the download was good, and burn it with something I know, (preferably under Puppy)?
Back to top
View user's profile Send_private_message 
obxjerry


Joined: 29 Jan 2010
Posts: 394
Location: Louisville, Kentucky

PostPosted: Mon 08 Mar 2010, 21:59    Post_subject:  

It turns out my son does have an external cd burner. I wasn't sure he had one but since he got it from me I had a strong suspicion. He'll be bringing it by tomorrow evening.

As luck would have it 2 of the 3 computers have nothing but NTFS file system. I'm thinking EBCD to get the boot floppy is still plan A? I have the EBCD file in puppy. With my son's burner I can put it on CD but then I have to use a NTFS computer to burn a floppy. That will work, right?

"you seem more stable now, even if the PCs aren't yet, [if that doesn't sound too unkind?]" My stability is fair game but please don't think for a moment I'm thin skinned.

As far as my quarantine method, anything capable of carrying a virus that goes into the room with the sick computer stays in the room with the sick computer. It seems to work for now. I was hoping at some time in the future I would learn the name of the bug that bit me and the miracle cure that kills it. Too many space invader movies I guess.

Take care
Back to top
View user's profile Send_private_message 
Sylvander

Joined: 15 Dec 2008
Posts: 3463
Location: West Lothian, Scotland, UK

PostPosted: Tue 09 Mar 2010, 02:45    Post_subject:  

@prehistoric
1. "These require you to make them on a good Windows system"
I did that. Very Happy

2. "the program hangs for some unknown reason at various places during the burn, creating coasters"
When I ran the EXE file within Win2000Pro, something didn't work...
But it then asked me if I wanted to save the ISO file [from inside the EXE?], so I gave that the OK and it worked just fine, and then I used imgburn to burn the ISO quite routinely.
All seemed well, and the CD boots just fine, but I got this problem with video that I've seen with other similar CD's.

@obxjerry
3. " I have the EBCD file in puppy. With my son's burner I can put it on CD"
Remember, you MUST burn it as an ISO image [using burniso2cd], not just burn the FILE to CD.

4. "but then I have to use a NTFS computer to burn a floppy. That will work, right? "
(a) WRONG! Very Happy
The EBCD and its program is totally self-contained [I think, unless I'm wrong there], and will [I believe] burn a good floppy even if there is no HDD [or no Windows installed] on the PC.
If I'm wrong, it may be that the program detects the name of the Windows folder and uses that in the boot.ini file it places on the floppy.
You aught to use some program [the File Manager on the EBCD?] to look at the Windows folder on the partition on the HDD...
Check its name...
Make sure the boot.ini on the floppy uses the same name [edit if necessary].

(b) When you have an EBCD sitting within arms reach [and know how to use it][as I do?]...
It's really EASY do things with it, like make the Universal Boot Floppy [a name I invented for it].
That's how I made my "copy of the floppy". [He's a poet and doesn't know-it Very Happy ]

(c) Notice that the EBCD 2nd menu also includes a free-trial version of the old version of "Image for DOS" [IforD].
That doesn't ever cease functioning; just reminds you that you should only use it for 30 days.
That's what introduced me to IforD; at one time that was what I used to make image backups.
A VERY good program.
I guess it will still work today, but won't backup to USB.
[That capability was introduced with later versions]
I made an EBCD copy including a usb4dos driver [the EBCD can have programs added], but it didn't work reliably. Sad
Back to top
View user's profile Send_private_message 
Aitch


Joined: 04 Apr 2007
Posts: 6825
Location: Chatham, Kent, UK

PostPosted: Tue 09 Mar 2010, 10:24    Post_subject:  

Jerry,

Slightly aside, going back to your question about the mobo

As far as I can see it is most likely to be DFI, as the Aopen searches only come up with Realtek avance, which is audio info

I found this, and you should recognise the VIA chipset, if its yours

http://active-hardware.com/english/reviews/mainboard/ak75-ec-5.htm

For getting info on your system, you need either a live Puppy and use HWinfo from menu, or if you have a running windoze, d/l PC Wizard, which will give all sorts of useful info on any windoze box

http://www.cpuid.com/pcwizard.php

I also found a pdf for AK75-EC with KT133 chipset, which might be worth a look, you should recognise if its yours

http://support.octek.com.au/Downloads/Files/Manual/K7/KT133A-ASP1.pdf

If that is yours, there may be another possibility, which I don't think has been mentioned
- reset the bios, by removing the cmos battery...?
Might be worth a try...?

But you'll need to go into bios afterwards and set time/date and set to default settings and save, I think

HTH - sorry for extra work.... Wink

Aitch Smile
Back to top
View user's profile Send_private_message 
obxjerry


Joined: 29 Jan 2010
Posts: 394
Location: Louisville, Kentucky

PostPosted: Tue 09 Mar 2010, 10:38    Post_subject:  

If instead of saying "but then I have to use a NTFS computer to burn a floppy. That will work, right?" I had said; The only computer I have that will burn a floppy is a NTFS computer, would that make a difference? Even if I boot the CD to burn the floppy in the sick computer, it is NTFS. I really think what you're saying is it doesn't matter because the hard drive isn't brought into play in this process.

We have to cross this bridge, we might as well do it now. I know the answer to this one but I've been wrong before. I have the 2 Puppy CDs but they've been in the sick computer. They didn't boot, but that's probably moot, (note rhyme) because nothing more (not even a virus) can be written to a CD-R that has files on it. I'm pretty sure the CD drive is read only if that matters.

So, if my Puppy CD is good to use, I could install Puppy to the NTFS laptop (it's going to be there in the end anyway). That stone would kill 2 birds. I could use Puppy to burn the EBCD floppy and it would give us a safer OS on that computer. My wife uses that computer to access Facebook (a known treasure trove of viruses). I can't say much. She knows where I sleep.

OK, I'm am gradually coming to the realization I'm really not sure where we are going. I keep trying to get a Puppy CD to boot. I'm thinking one of the features of Puppy is you can do something with files on a W*****s partition. I tried booting DSL several times and then slipping in a Puppy CD hoping I could trick it.

It finally occured to me maybe DSL isn't completely useless. I googled d*** small linux fix windows and came to this http://www.tech-recipes.com/rx/1624/how_to_recover_corrupted_hard_drive_ntfs_files/
Is this somehow useful?

Neither of the Puppy CDs I have will boot. If I burned another one is there a chance it would boot?

While I was looking for the BIOS information on the post screen I may have found something. The first screen that comes up says

SIS
Sis 6326 AGP true color graphics and video accelerator
8m byte video memory BIOS version 1.23f
Support Vesa BIOS extension ver. 2.0

the second screen says

Award Modular BIOS V6. OOPG
Copyright (C) 1984-2000 Award Software Inc.

It does have a number in the lower left corner I haven't caught yet.

Is this too many references to BIOS, like the virus has added some of them?

Sorry this post is long and perhaps silly in places but, inquiring minds want to know.

Jerry

PS Aitch, been there done that several times on the CMOS battery. I know Einstein's definition of insanity.
Back to top
View user's profile Send_private_message 
Aitch


Joined: 04 Apr 2007
Posts: 6825
Location: Chatham, Kent, UK

PostPosted: Tue 09 Mar 2010, 10:57    Post_subject:  

Jerry, I had a feeling you would've tried the 'magic button removal' but worth mentioning
I don't quite understand why an NTFS box can't burn a CD or Floppy to be used on a Fat32 setup, as long as the file you burn has the right burn utility, unless you are dependent on ms.sys files - it's just a filesystem

Rawrite works regardless of OS as its dos based; rawritewin works on any W32 box
Any windoze burner prog e.g. HT Fireman will burn an iso - make sure to select ISO correctly, though

http://www.free-codecs.com/download/HT_Fireman.htm


try the manual pdf, and see how it looks....

if not run PC Wizard - if possible, else puppy

Try ttuuxxx's 214X - it should work with the VIA chipset, I think - he's just about to release, so you could wait 24hrs or so, but it's very stable

http://www.murga-linux.com/puppy/viewtopic.php?t=42553


Edit: Only mention of SIS 6326 is long time back - pretty sure Barry would have it supported

http://www.murga-linux.com/puppy/viewtopic.php?p=3812

However choice of Xorg or Xvesa comes after boot up.....

Aitch Smile
Back to top
View user's profile Send_private_message 
obxjerry


Joined: 29 Jan 2010
Posts: 394
Location: Louisville, Kentucky

PostPosted: Tue 09 Mar 2010, 11:48    Post_subject:  

Aitch,

Thank you. I think you did my work and found the manual to my motherboard. You even made it easy for me with the point and click links. My wife shows me that trick but I never know it when I need it.

I was concerned that EC didn't follow AK75 printed on the board. The board layout looks the same though.

Thanks
Back to top
View user's profile Send_private_message 
Sylvander

Joined: 15 Dec 2008
Posts: 3463
Location: West Lothian, Scotland, UK

PostPosted: Tue 09 Mar 2010, 12:06    Post_subject:  

1. " I really think what you're saying is it doesn't matter because the hard drive isn't brought into play in this process"
Exactly. Very Happy
That's what I believe to be the case.
You boot the EBCD, and run the program, and it writes to the floppy, generic copies of the 3 necessary files, and those 3 files are on the CD, not needed from a Windows installation on the internal HDD.
And I think that when it writes the generic boot.ini, that includes/assumes a name for the Windows folder.
But I could be wrong.
All I know for sure is that when I got it to make the floppy on my own PC [with a Win2000Pro "WINNT" folder], the name WINNT was used in the boot.ini file.
Hence, I think you'd need to check the contents of the boot.ini on your floppy once made, to see what name has been used for the Windows folder.

2. "I could use Puppy to burn the EBCD floppy"
WRONG! Sad
(a) You can use a Puppy [or for that matter any version of Windows] to burn the EBCD ISO file to a CD-R or CD-RW, to make the EBCD bootable CD.

(b) Once you have the EBCD burned...
And boot it...
That has/provides its OWN operating system included on the CD.
So the program on the EBCD, running within its own operating system...
Is what writes the files [included on the CD I believe] to the floppy disk.

(c) Hence:
Puppy doesn't write the floppy.

3. " I keep trying to get a Puppy CD to boot"
(a) A known good Puppy CD?
(b) On the problem PC?
(c) Using the SBM floppy?
(d) And it fails?
(e) And yet DSL succeeds?
(f) With or without using SBM floppy to boot DSL?

(g) We need to discover why DSL will boot, and yet Puppy will not.

4. "Is this somehow useful?"
(a) If you're good at using commands in a terminal, you might be able to copy your files to a 2nd HDD.

(b) Or else you could slave your HDD in another working PC, and copy the files there.

(c) Or put your HDD in an external USB enclosure, and access the files that way, using a working PC and OS.

5. "Neither of the Puppy CDs I have will boot. If I burned another one is there a chance it would boot?"
There should be no magic involved in this.
You need a working Puppy CD, in an optical drive that is functional, with a BIOS that is configured to boot it.

6. "It does have a number in the lower left corner I haven't caught yet"
That's the code that exactly identifies your BIOS that's in use.

7. "Is this too many references to BIOS"
No, that's as it should be.
Back to top
View user's profile Send_private_message 
prehistoric


Joined: 23 Oct 2007
Posts: 1301

PostPosted: Tue 09 Mar 2010, 13:44    Post_subject: filesystems, CD-Rs, BIOS number, etc.  

obxjerry wrote:
If instead of saying "but then I have to use a NTFS computer to burn a floppy. That will work, right?" I had said; The only computer I have that will burn a floppy is a NTFS computer, would that make a difference? Even if I boot the CD to burn the floppy in the sick computer, it is NTFS. I really think what you're saying is it doesn't matter because the hard drive isn't brought into play in this process.
Not exactly, we are talking about the file system used on the hard drive by the operating system that burns the floppy. Floppies don't support NTFS so that file system is irrelevant for them, except for running your good system off the hard drive which is not suspect.

Quote:
We have to cross this bridge, we might as well do it now. I know the answer to this one but I've been wrong before. I have the 2 Puppy CDs but they've been in the sick computer. They didn't boot, but that's probably moot, (note rhyme) because nothing more (not even a virus) can be written to a CD-R that has files on it. I'm pretty sure the CD drive is read only if that matters.
You are essentially correct, although it is possible to burn Puppy "multisession" to allow adding to a CD. If you didn't deliberately do that, your CDs are read-only, and present no danger of contamination. Even if they were somehow contaminated, it is doubtful the malware would work under Puppy. As long as you don't use those disks while you are running Windows, you should be completely safe, even if they were burned "multi-session".

Since you have these already made, you can use the super multi-boot floppy you made previously (just for example) to boot them even if the machine will not boot directly from the CD.

Quote:
So, if my Puppy CD is good to use, I could install Puppy to the NTFS laptop (it's going to be there in the end anyway). That stone would kill 2 birds. I could use Puppy to burn the EBCD floppy and it would give us a safer OS on that computer. My wife uses that computer to access Facebook (a known treasure trove of viruses). I can't say much. She knows where I sleep.
Installing Puppy to that machine should not present challenges. If you have a working Windows system, I do not recommend wiping the hard drive, -- particularly on notebooks. OEMs have the habit of sticking secret bits of code in places you might not know about. Sometimes these are diagnostics, or recovery software, in other cases they are treated as part of the BIOS, like the award flash utility. The swap file used by hibernate functions on Windows machines is inside the Windows partition, as is code to resume. You don't want to completely eliminate this if you have any choice. (All these things help to tie you to the supplier, so they aren't always forthcoming about what they have done.)

You can resize the NTFS partition, using Gparted, and create a modest (a few GB) ext2 partition in the space made available. If you have enough space, it might also be nice to create a 512 MB Linux swap partition while you are using Gparted (from within Puppy.) It is a good idea to run whatever filesystem checks your Windows system has on that NTFS partition, and defragment, before resizing, and run it again immediately afterward, so it can correct any errors Gparted makes which might confuse it.

When you come to installing Puppy on that new partition, choose a frugal install. You can use this while booting from a CD, or you can install GRUB to the MBR to get a boot menu for dual-booting. We'll help you to edit the menu.lst file for your particular configuration, (assuming we can still talk to you.)
Quote:
OK, I'm am gradually coming to the realization I'm really not sure where we are going. I keep trying to get a Puppy CD to boot. I'm thinking one of the features of Puppy is you can do something with files on a W*****s partition. I tried booting DSL several times and then slipping in a Puppy CD hoping I could trick it.

It finally occured to me maybe DSL isn't completely useless. I googled d*** small linux fix windows and came to this http://www.tech-recipes.com/rx/1624/how_to_recover_corrupted_hard_drive_ntfs_files/
Is this somehow useful?
That is certainly one route to go, and might help to recover irreplaceable pictures, for example, though I believe you are not as far from using Puppy as you think. (By irreplaceable, I do not mean pictures downloaded from a free site in Ukraine. Those are widely available.)
Quote:
Neither of the Puppy CDs I have will boot. If I burned another one is there a chance it would boot?
Yes. But, rather than continuing to do the same thing, put the CD in first and then try to use the boot floppy to boot off the Puppy CD. On a fair number of old machines this works even when you can't boot directly off the CD from the BIOS.
Quote:
While I was looking for the BIOS information on the post screen I may have found something. The first screen that comes up says

SIS
Sis 6326 AGP true color graphics and video accelerator
8m byte video memory BIOS version 1.23f
Support Vesa BIOS extension ver. 2.0

the second screen says

Award Modular BIOS V6. OOPG
Copyright (C) 1984-2000 Award Software Inc.

It does have a number in the lower left corner I haven't caught yet.

Is this too many references to BIOS, like the virus has added some of them?...
No, the separate video BIOS is perfectly normal. To get the boot screen to hold still so you can copy the number, all you need to do is hit "pause" on the keyboard. Here's what the number looks like on an old machine of mine.
Code:
09/03/2000-VP4-686A-645LHM3CC-00
BTW: I have a machine with SiS 6326 video, and Puppy works on it.

At this point, I'm thinking that malware which got you was very unsophisticated. The reason is that it doesn't appear to have any money-making potential, and it gives itself away quickly.

If this is true, you have only two hurdles: get back to booting your Windows system, clean up the infection. That free trial of bootITng would be enough to find out if it can repair the boot block. I didn't have to pay anything to download it. (But don't install it to the hard disk.)

Sophisticated exploits will prevent you from downloading and using malware removal tools under Windows. I'm guessing this one is dumb. Get to the point of booting Windows, and we can go after the malware with any number of tools even if they have to be downloaded on that other machine. Just remember the system you are running is still suspect.

If you can't get back to booting Windows, we will continue along the route of using separate bootable recovery tools.
Back to top
View user's profile Send_private_message 
Display_posts:   Sort by:   
Page 5 of 8 Posts_count   Goto page: Previous 1, 2, 3, 4, 5, 6, 7, 8 Next
Post_new_topic   Reply_to_topic View_previous_topic :: View_next_topic
 Forum index » Off-Topic Area » Security
Jump to:  

Rules_post_cannot
Rules_reply_cannot
Rules_edit_cannot
Rules_delete_cannot
Rules_vote_cannot
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.1399s ][ Queries: 13 (0.0058s) ][ GZIP on ]