Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Sat 25 Oct 2014, 15:21
All times are UTC - 4
 Forum index » Off-Topic Area » Security
I got wacked real good x 3 (SOLVED)
Post_new_topic   Reply_to_topic View_previous_topic :: View_next_topic
Page 8 of 8 Posts_count   Goto page: Previous 1, 2, 3, ..., 6, 7, 8
Author Message
Sylvander

Joined: 15 Dec 2008
Posts: 3463
Location: West Lothian, Scotland, UK

PostPosted: Tue 16 Mar 2010, 18:59    Post_subject:  

1. " It got me to the point where I saw XP had a missing or corrupt system32\hal.dll file. Online said that could be a boot.ini or BIOS problem"
(a) That would normally be true if you were using the HDD boot arrangements, but it's NOT the same when you're using the Universal Boot Floppy [UBF].
i.e. You're not using the HDD boot arrangements [MBR & boot files on the HDD]...
You're using the floppy boot arrangements...
Including the 3 boot files, one of which is the boot.ini on the floppy.
Hence if they don't work, you don't blame the HDD boot arrangements.

(b) You need to know:
WHERE the Windows folder is located [which partition?]
And...
What is the NAME used for the Windows folder [WINDOWS?]
So you should use SOMETHING [A Puppy?]...
To browse the partition holding the Windows folder and note the name used.

(c) Then you need to check the contents of the boot.ini on the floppy and edit if necessary, so as make sure that the code is correct.
Usually just checking the name of the Windows folder is correct.
Here's the important code in my copy:
Code:
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINNT="NT, First harddisk, first partition" /sos

Notice my Win2000Pro folder is named WINNT.

(d) You need to try all 8 partitions.
Did you?

2. " I finally found a site that, added to what I had tried, said to use chkdsk /r. That worked"
(a) So the problem was a corrupted partition file system, right?
That's why the UBF didn't succeed in booting Windows, right?
And WinXP [on NTFS partition file system] was now booting, right?

3. "I started virus scans one after another but didn't turn up much. Nothing that stood out."
(a) How about running a Puppy from a CD, with a pupsave on a Flash Drive, with Avast! Antivirus installed, and scan the Windows partition whilst Windows is dormant?

(b) Or go to www.pcguide.com/vb and ask for help in scanning for infection.
There are people there who are VERY EXPERT and well practised at doing this [Windows users get infected and ask there for help to disinfect very frequently].
Back to top
View user's profile Send_private_message 
obxjerry


Joined: 29 Jan 2010
Posts: 394
Location: Louisville, Kentucky

PostPosted: Tue 16 Mar 2010, 20:19    Post_subject:  

Sylvander,

1. It's been awhile but I'm pretty sure I got further than you think I did with the Windows Universal Boot Floppy. There was no doubt Windows was one and only disk, one and only partition. The first option got the missing or corrupted <Windows root>\system32\hal.dll file every time. I hoped it might find it the fourth or fifth time. Confused I really think I got to the HDD. The other options were a definite no go. I didn't try all of them.

2. I have no idea what chkdsk /r did or what it did it to. I know it checks the disk for errors and repairs. Everything else (trying to repair boot.ini) I tried came back with a failure message. Chkdsk /r ran for awhile and showed one repair then I exited and booted right into XP with no aids.

3. My plan was to boot into W*****s and do nothing but run virus scans hopefully finding and controlling the virus. Are you saying I still may be able to find what the virus was? I'm thinking what I have now is damage left by the virus and not the virus still working.
Back to top
View user's profile Send_private_message 
prehistoric


Joined: 23 Oct 2007
Posts: 1301

PostPosted: Wed 17 Mar 2010, 01:41    Post_subject: lurking viruses  

Jerry,

I strongly suspect there is still something in your system(s). It may not be "the" virus which caused the damage, but the likelihood of something providing an entry point for malware is pretty high. I think your son's suspicions are reasonable.

Sites which are topically popular for a short time, like the ones connected with the Winter Olympics, are especially good sources for malware distribution. Manipulating Search Engine Optimization can steer people places they never intended to go. Things like cross-site scripting can hit you even if the main site is pretty secure. There are tricks which will cause most eyes to glaze over if you explain exactly what is going on. Nobody can stay sane and constantly worry about them while doing other things. You have to trust somebody/something. This is where the toxic stuff gains entry. After that, a wide range of consequences may follow.

Here's an example from a "service call" I made today. (The quotes are because I am not really in business, and don't accept money. I also don't advertise that I can fix W*****s. Part of the reason I don't promise is that I don't know how much longer it will be possible to keep such systems functioning. I always use the opportunity to show Puppy in action. Today was no exception.) This is close to a worst case.

First problem, can't boot into anything except a damaged XP system. Once in that system, can't use the Internet. Attempts to boot Avira rescue CD fail. Can't mount USB flash drive to extract Spybot S&D. I drop back to my super multi-boot floppy, and use it to boot up Zigbert's Stardust 013 on CD. This is basically Puppy 4.3.1, with all the known bug fixes, plus a nice new look and control center. Among those fixes is one that allows F-prot scanner to install and update properly.

I set up Stardust 013 on the machine, connect to the Internet, update F-Prot, mount the XP partition, and scan it. Lots of problems, some with file system, some with scanner, but also a number of known pieces of malware. The important ones affecting my ability to fix things turned out to be: reboot.exe, registry-first-aid, a downloader, and a Trojan named dropper. Norton Anti-Virus was installed, but protection had expired. It had then been infected itself. (Black hats are targeting popular security software which has expired. Once they see what the update accomplishes, they know about a vulnerability. There's always someone out there who didn't maintain protection.)

Once I have the first crop removed or renamed, I can go back to booting Windoze. There follows a long series of operations to remove things which may be legitimate, but are impeding analysis. HP Imaging Software keeps trying to update things that are not vital. So do Adobe, and Apple. Registry First Aid gets removed, but not without a fight. Norton goes, since it isn't doing any good.

I install Comodo Internet Security (free download) because this machine has an Internet connection which transfers about 1/2 MB/s. (After various malware definitions are added, the total size is around 135 MB.) I also install the most critical missing W*****s updates.

Next, I run a scan using Comodo. This goes on for several hours, turning up another 19 threats; most are real. Some got in through unpatched vulnerabilities in M$ Office, some through Netscape 7.2, some through IE7, and so on. I install even more Windoze updates.

While the slower operations are running, I uninstall a variety of things that don't serve any present purpose. With the latest and greatest java run-time environment, and Firefox 3.6, we probably don't need half-a-dozen previous versions and older browsers. I run Comodo System Cleaner to straighten out the registry left from all the previous operations. It fixes 400 errors.

At this point I'm ready to run Trendmicro HouseCall as a cross-check. There's a reason for this high level of suspicion.

Commercial malware is a paying business which runs QA checks to make sure new products will be missed by most scanners. If 30% of them catch it, it fails, and gets sent back for rework. This tells me that having found a dozen real threats, not just some security company hyperventilating about threats, I can be almost certain there will be some missed. (If I am in doubt about which are real, I can submit files to competitors for analysis.)

A second angle is that new malware often uses old malware as a payload. You can remove the old threat without suspecting it was put there so you would find something besides the program which infected your machine. While the payload is working, it uses tried and true methods of extracting money from the opportunity. The criminal doesn't have to create any new infrastructure to support it.

Anyone can tell me this kind of work is uneconomical. If I wasn't especially curious, I wouldn't waste my time. I have an answer to the problem which satisfies me. I'm still waiting for the rest of the world to catch on.

p.s. the battery on that motherboard was dead, too.
Back to top
View user's profile Send_private_message 
Sylvander

Joined: 15 Dec 2008
Posts: 3463
Location: West Lothian, Scotland, UK

PostPosted: Wed 17 Mar 2010, 03:30    Post_subject:  

1. " The first option got the missing or corrupted <Windows root>\system32\hal.dll file every time"
Which means there WAS a problem, something external to or beyond the HDD boot arrangements.
This might have been a wrong name for the Windows partition in the floppy boot.ini file...
Or a problem with [access to?] the Windows folder or its contents...
e.g. The one it turned out to be = the Windows partition file system.

2. "I have no idea what chkdsk /r did or what it did it to"
It scanned all the partition file systems it could find, and fixed/repaired any faults found.

3. "booted right into XP with no aids"
So ONE problem found and fixed. Very Happy

4. "Are you saying I still may be able to find what the virus was?"
Yes. Very Happy
Back to top
View user's profile Send_private_message 
cthisbear

Joined: 29 Jan 2006
Posts: 3434
Location: Sydney Australia

PostPosted: Wed 17 Mar 2010, 08:00    Post_subject:  

As a last resort ComboFix is mentioned on Whirlpool forums.

http://forums.whirlpool.net.au/forum/10

////////////////

Once again I cannot speak too highly of the Falcon boot cd.
Not an MS fan but this has a live scanner...updates itself..
probably Windows Defender.

Used System restore on a Vista laptop yesterday..>perfect.
Stops autoruns etc.

http://thepiratebay.org/torrent/5283510/FalconFour_s_Ultimate_Boot_CD_USB_2.0_-_Hiren_s_9.9__ERD


He's just released a 50 meg special...no ERD

http://thepiratebay.org/torrent/5373232/FalconFour_s_Micro_Boot_CD_2.5_-_Live_XP__Spinrite__Kon-Boot_

This bloke is good.

////////////

The Avast Bart boot cd does not like less than 256 megs ram.
Better at 512. So running Avast in Windows can probably have issues.

Again...try Hitman Pro...and the one time fix.

//////////

Sometimes though.. you need to re-install.
But use driver magician lite to back up the drivers.
Runs off most windows rescue cds...Ubcd4Win etc.

Chris.
Back to top
View user's profile Send_private_message 
Aitch


Joined: 04 Apr 2007
Posts: 6825
Location: Chatham, Kent, UK

PostPosted: Wed 17 Mar 2010, 08:25    Post_subject:  

Jerry

I would recommend adding a simple firewall program to any PC which doesn't have one, but runs Windoze

Here's free version of Kerio, which is an easy install - you just need to 'enable 'programs you want to allow on the web, via a popup

http://www.321download.com/LastFreeware/files/keriopf215.zip

I would also recommend MYWOT, [can be used for IE or f/f] and Firefox
browser

MYWOT warns you about dangerous sites with a red warning, and you just back out or close the browser

http://www.mywot.com/en/download/ie

Firefox, use an early version 2.xxx for Win95/98 and it should be OK

Firefox is less likely to be attacked than IE, IMO

http://www.oldapps.com/firefox.php

If you cannot get your Windows setup stable, you will need to save any files you want to keep, to CD or USB drive, and re-install

Good luck - good progress!

Aitch Smile
Back to top
View user's profile Send_private_message 
obxjerry


Joined: 29 Jan 2010
Posts: 394
Location: Louisville, Kentucky

PostPosted: Wed 17 Mar 2010, 12:45    Post_subject:  

I'm still writing back after a quick read through Twisted Evil My son blamed all of this on his Norton AV expiring and going to free Avast on my recommendation (it runs faster). His old machine is now being stored as a spare. He's using mostly Puppy and some Ubuntu.

Our ME and 98se machines are going to lose their ability to connect to the internet while running W*****s. There just isn't enough virus protection for them. If their AV doesn't work with the old OSs why are they vulnerable to the current viruses?

The plan is evolving for the 2 remaining 2 XP machines. I can see that they will be unsupported, out-dated systems in the near future. We are new to Linux and we were already using box stock Puppy 95% of the time. I do see Linux users use firewalls so firewalls are in my future.

It still is in my mind that I should be able to find the virus on the floppies. Is that possible? Is there a safe way to do it? I did see there is a bit of data on a floppy that normally is not written over but can carry a virus. So, what they are saying is a formated floppy is still not completely safe.

Right now I would say I'm taking a breather, waiting for the other shoe to drop and avoiding W*****s. I hope that works. I have been looking for the way to label this thread SOLVED. I haven't found that yet.

Thanks for your help.
Back to top
View user's profile Send_private_message 
Hugh


Joined: 24 Jun 2006
Posts: 136
Location: Imperial Warmongering Dystopia of Amerika

PostPosted: Thu 18 Mar 2010, 01:57    Post_subject: Don't forget to 'clean' the opticals...
Sub_title: CD and DVD
 

What an incredibly interesting discussion!

All of us who've used Windows have experienced
very similar mysterious 'crashes.' While our first
inclination is to believe we've been infected with
some dread virus, in truth, such crashes are in
fact nearly 'normal' for Windows.

As Windows is used it slowly 'grows' and accumulates
numerous odds and ends that it eventually is
unable to sort out and goes 'berserk.'

Many believe it is all part of the 'design.'

Thankfully, Puppy is a well behaved alternative!

By the way, those CD and DVD drives do require
frequent 'cleaning' either with one of those special
disks or with a Q tip and isopropyl alcohol. The tiny
lens gets dusty in use and unless cleaned regularly
will result in errors or the inability to read certain of
your CDs and DVDs.

To assure the most reliable 'burn' when making your
CDs and DVDs always burn at the slowest possible
speed. High speed burns are notoriously difficult
to be 'seen' by many CD and or DVD Roms.

Thanks to all who contributed to this very informative
saga!

_________________
Shuttle Spacewalker HOT-661/P Main Board:
PII-350MHz: 640MB RAM: First Puppy: 2.00
HDD Filesystem: FAT32/NTFS/ext3; Frugal Always
Back to top
View user's profile Send_private_message 
Aitch


Joined: 04 Apr 2007
Posts: 6825
Location: Chatham, Kent, UK

PostPosted: Thu 18 Mar 2010, 11:55    Post_subject:  

Jerry

The way to mark the thread 'Solved', simply requires you to open your very first post in the thread, and add 'Solved' to the Subject line, above the post which reads 'I got wacked real good x 3'
You just need to click the edit button, next to 'quote', top right to do any edits/changes on any post you make

thanks

Aitch Smile
Back to top
View user's profile Send_private_message 
prehistoric


Joined: 23 Oct 2007
Posts: 1301

PostPosted: Thu 18 Mar 2010, 18:09    Post_subject: free advice  

obxjerry wrote:
I'm still writing back after a quick read through Twisted Evil My son blamed all of this on his Norton AV expiring and going to free Avast on my recommendation (it runs faster). His old machine is now being stored as a spare. He's using mostly Puppy and some Ubuntu...
As I described before, there are deliberate on-going attempts to exploit systems where Norton AV protection has expired. Avast! is reasonable protection, but far from foolproof. I've seen one system which was clobbered on which it was up-to-date and working. I'm not sure I'd depend on any single company for protection, if my business depended on running Windoze.
Quote:
Our ME and 98se machines are going to lose their ability to connect to the internet while running W*****s. There just isn't enough virus protection for them. If their AV doesn't work with the old OSs why are they vulnerable to the current viruses?
Because even modern versions of Windoze support enough old programs to inherit vulnerabilities. Support for older versions was dropped because it was uneconomical. Both systems you mention are extremely vulnerable.
Quote:
The plan is evolving for the 2 remaining 2 XP machines. I can see that they will be unsupported, out-dated systems in the near future. We are new to Linux and we were already using box stock Puppy 95% of the time. I do see Linux users use firewalls so firewalls are in my future.
On Windoze systems you absolutely, positively must have a firewall, and the one that comes with the factory version is very poor. On Puppy, I use the default firewall all the time, unless I need to turn it off to set up a network.
Quote:
It still is in my mind that I should be able to find the virus on the floppies. Is that possible? Is there a safe way to do it? I did see there is a bit of data on a floppy that normally is not written over but can carry a virus. So, what they are saying is a formated floppy is still not completely safe.
I don't know exactly what you've done, but I would bet on there being something in the boot block. You may also have a floppy which has been infected, but not formatted. When you scan for malware, enable any option to scan boot blocks. If you boot a separate system and scan from that, you completely avoid risks to your Windoze system. That's why we use things like that Avira Rescue CD.

One reason you might not find anything is that many nasty tricks with floppies went out of fashion some time back. Many companies selling security products didn't exist at that time.

Even if you don't find the culprit there, it had to come from somewhere. You should have found either that program, or another nasty which delivered the payload, on the original machine responsible.
Back to top
View user's profile Send_private_message 
RetroTechGuy


Joined: 15 Dec 2009
Posts: 2668
Location: USA

PostPosted: Thu 18 Mar 2010, 18:24    Post_subject:  

obxjerry wrote:

Our ME and 98se machines are going to lose their ability to connect to the internet while running W*****s. There just isn't enough virus protection for them. If their AV doesn't work with the old OSs why are they vulnerable to the current viruses?


The big problem with the old systems is that you can't update Firefox past 2.x (which is no longer supported by many sites).

I ran my Win98 box "bare naked" for quite some time (not when Win98 was common, but removed the virus protection a couple years back, and ran it until quite recently). It was amusing to see an error like "upgrade your operating system to run this program <i.e. virus>..."

Basically, the more "helpful" an operating system is ("I'm automatically running this program for your convenience"), the more likely it will help a virus infect your machine.
Back to top
View user's profile Send_private_message 
RetroTechGuy


Joined: 15 Dec 2009
Posts: 2668
Location: USA

PostPosted: Thu 18 Mar 2010, 18:31    Post_subject: Re: Don't forget to 'clean' the opticals...
Sub_title: CD and DVD
 

Hugh wrote:
What an incredibly interesting discussion!

All of us who've used Windows have experienced
very similar mysterious 'crashes.' While our first
inclination is to believe we've been infected with
some dread virus, in truth, such crashes are in
fact nearly 'normal' for Windows.


Yup. Some of the newer tools do a fair job of keeping the registry in order, but eventually the only solution is to scrub the system and do a fresh install (or to restore from your backup that you made, shortly after you did your last reinstall Wink ).

I have had pretty good luck with CCleaner on my Win98 box (and it seems to be fine on my XP system, too - but that always makes me a little more nervous).

Quote:
As Windows is used it slowly 'grows' and accumulates
numerous odds and ends that it eventually is
unable to sort out and goes 'berserk.'


I always called it "Windows Inertia". It accumulates "mass" until it simply cannot move...

Quote:
Many believe it is all part of the 'design.'


To keep you in practice, by continually reinstalling the OS?... Twisted Evil

"Microsoft: What do you want to reinstall today"
Back to top
View user's profile Send_private_message 
obxjerry


Joined: 29 Jan 2010
Posts: 394
Location: Louisville, Kentucky

PostPosted: Fri 19 Mar 2010, 09:31    Post_subject:  

Thanks Aitch. I had done just what you said but when I tried preview it didn't change the main heading so I didn't think that was the way. I went the extra step and it worked.

The computers are working better. About all I'm doing with W*****s is making the XPs smaller in order to install Linux and copying data off.

Ubuntu was installed on my son's computer when I bought it and it impressed me. I have burned Kubuntu and plan to put that on our highest spec. computer even though it gets used least.

I am still just blown away that Puppy starts out so small and stays that way. If it grows you know exactly why. The computer I'm on now has Puppy that is using 430mb. I bet I've used that much space in one XP update session and who knows what that data is?

Thanks again,
Jerry
Back to top
View user's profile Send_private_message 
Aitch


Joined: 04 Apr 2007
Posts: 6825
Location: Chatham, Kent, UK

PostPosted: Fri 19 Mar 2010, 12:00    Post_subject:  

Jerry

An urgent tip! Don't try and re-size windoze partitions without first running scandisk/chkdsk and then defrag or you could get a whole heap of new problems
when you reboot if windoze ever tries to do a scandisk/chkdsk, exit out by pressing a key, wait for it to fire up windoze, then run it manually first
Experience tells me this saves losing installs

btw - well persevered!

Aitch Smile
Back to top
View user's profile Send_private_message 
prehistoric


Joined: 23 Oct 2007
Posts: 1301

PostPosted: Fri 19 Mar 2010, 21:45    Post_subject: follow-up report  

Here's a follow-up report on that other clobbered system I rescued recently.

It now runs chkdisk without problems. I'm not completely through with malware scans, but the things I'm finding are less immediate threats than trash left by previous problems.

As predicted, that system was not clean after one scanner found and removed 19 threats. I ran BitDefender's on-line scan for the first time (in my experience.) It reported an old email virus, Win32 bugbear.a. Most copies of this I see are later variants. Moral: even old threats can resurface.
---------
Added: Still later, I ran yet another scan. Earlier scans had been restricted to things I needed just to run programs under Windoze to recover. This time I found another 8 threats hidden in restore points. If you have read this thread from the beginning, you might have noticed that I did not recommend restoring the system to an earlier date. At one time this was a great way to deal with problems. Today, we have some malware which infects the restore point, or the restore operation itself, so that it will install malware even if there was none on the machine at the time a restore point was created.
---------
I tried BitDefender's on-line scan because there was a problem with one of the system calls needed by the Trend micro "HouseCall" on-line scanner. This is not terribly surprising, as I have pulled out all kinds of things to stop further infections from occurring while I'm working. One way I've simplified the problem is to uninstall the HP software which goes with the Officejet multifunction machine. I'll install the latest downloaded version after I've got everything else clean and stable.

The reason is two-fold: it had been updated repeatedly, and was not consistent; malware authors have exploited programs doing automatic updates to install their own code. I've seen this twice before with HP imaging software. The problem is not bad security by HP, it is the widespread availability of this software on poorly protected machines, plus the high value to criminals of corrupting an updater with a legitimate function.
----------
Added: Did reinstall this, and it looks good. The problem did not come from HP.
----------
There was also that fake picture which installed malware. This illustrates a large and growing problem. With cell phones having cameras and micro-SD cards, in addition to all the regular digital cameras and mp3/4 players, it is very easy for an infection to be transmitted through the exchange of pictures or video. It is all too likely someone plugging in, for example, an 8 GB SD card from a camera will tell the security software to skip the malware scan if they want to show people a picture right away.

I don't see malware becoming much more sophisticated in a coding sense, but the "social engineering" aspects are getting slicker. The juvenile mischief of writing floppies that immediately disable a machine, as in the main problem on this thread, runs in the opposite direction. There is no way too ignore it, and it did bring in people who will go looking for other problems.

Psst! Hey, real crooks, maybe you should hunt down the guy who did that. He's hurting business..Twisted Evil

Final advice for Jerry: use external drives to store complete backups of your system partition. If they aren't connected, they can't be infected. Plan things out in advance so you can do a complete restore if the OS is suspect or the main disk dies. Maintain your skills with Puppy, so you can impress people by rescuing data from compromised systems.

If you don't get hit, after doing such preparation, don't feel cheated. From long experience, I can tell you there are mysterious forces at work which will hold evil at bay if you are well-prepared to cope.

If you don't believe in these forces, I can only suggest that the next time you are waiting for an important phone call you get in the shower. In my personal experience, that vulnerability almost always draws a call.

Regards,

prehistoric
Back to top
View user's profile Send_private_message 
Display_posts:   Sort by:   
Page 8 of 8 Posts_count   Goto page: Previous 1, 2, 3, ..., 6, 7, 8
Post_new_topic   Reply_to_topic View_previous_topic :: View_next_topic
 Forum index » Off-Topic Area » Security
Jump to:  

Rules_post_cannot
Rules_reply_cannot
Rules_edit_cannot
Rules_delete_cannot
Rules_vote_cannot
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.1416s ][ Queries: 13 (0.0090s) ][ GZIP on ]