I got wacked real good x 3 (SOLVED)

For discussions about security.
Message
Author
Sylvander
Posts: 4416
Joined: Mon 15 Dec 2008, 11:06
Location: West Lothian, Scotland, UK

#106 Post by Sylvander »

1. " It got me to the point where I saw XP had a missing or corrupt system32\hal.dll file. Online said that could be a boot.ini or BIOS problem"
(a) That would normally be true if you were using the HDD boot arrangements, but it's NOT the same when you're using the Universal Boot Floppy [UBF].
i.e. You're not using the HDD boot arrangements [MBR & boot files on the HDD]...
You're using the floppy boot arrangements...
Including the 3 boot files, one of which is the boot.ini on the floppy.
Hence if they don't work, you don't blame the HDD boot arrangements.

(b) You need to know:
WHERE the Windows folder is located [which partition?]
And...
What is the NAME used for the Windows folder [WINDOWS?]
So you should use SOMETHING [A Puppy?]...
To browse the partition holding the Windows folder and note the name used.

(c) Then you need to check the contents of the boot.ini on the floppy and edit if necessary, so as make sure that the code is correct.
Usually just checking the name of the Windows folder is correct.
Here's the important code in my copy:

Code: Select all

default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINNT="NT, First harddisk, first partition" /sos
Notice my Win2000Pro folder is named WINNT.

(d) You need to try all 8 partitions.
Did you?

2. " I finally found a site that, added to what I had tried, said to use chkdsk /r. That worked"
(a) So the problem was a corrupted partition file system, right?
That's why the UBF didn't succeed in booting Windows, right?
And WinXP [on NTFS partition file system] was now booting, right?

3. "I started virus scans one after another but didn't turn up much. Nothing that stood out."
(a) How about running a Puppy from a CD, with a pupsave on a Flash Drive, with Avast! Antivirus installed, and scan the Windows partition whilst Windows is dormant?

(b) Or go to www.pcguide.com/vb and ask for help in scanning for infection.
There are people there who are VERY EXPERT and well practised at doing this [Windows users get infected and ask there for help to disinfect very frequently].

User avatar
obxjerry
Posts: 390
Joined: Fri 29 Jan 2010, 22:34
Location: Louisville, Kentucky

#107 Post by obxjerry »

Sylvander,

1. It's been awhile but I'm pretty sure I got further than you think I did with the Windows Universal Boot Floppy. There was no doubt Windows was one and only disk, one and only partition. The first option got the missing or corrupted <Windows root>\system32\hal.dll file every time. I hoped it might find it the fourth or fifth time. :? I really think I got to the HDD. The other options were a definite no go. I didn't try all of them.

2. I have no idea what chkdsk /r did or what it did it to. I know it checks the disk for errors and repairs. Everything else (trying to repair boot.ini) I tried came back with a failure message. Chkdsk /r ran for awhile and showed one repair then I exited and booted right into XP with no aids.

3. My plan was to boot into W*****s and do nothing but run virus scans hopefully finding and controlling the virus. Are you saying I still may be able to find what the virus was? I'm thinking what I have now is damage left by the virus and not the virus still working.

User avatar
prehistoric
Posts: 1744
Joined: Tue 23 Oct 2007, 17:34

lurking viruses

#108 Post by prehistoric »

Jerry,

I strongly suspect there is still something in your system(s). It may not be "the" virus which caused the damage, but the likelihood of something providing an entry point for malware is pretty high. I think your son's suspicions are reasonable.

Sites which are topically popular for a short time, like the ones connected with the Winter Olympics, are especially good sources for malware distribution. Manipulating Search Engine Optimization can steer people places they never intended to go. Things like cross-site scripting can hit you even if the main site is pretty secure. There are tricks which will cause most eyes to glaze over if you explain exactly what is going on. Nobody can stay sane and constantly worry about them while doing other things. You have to trust somebody/something. This is where the toxic stuff gains entry. After that, a wide range of consequences may follow.

Here's an example from a "service call" I made today. (The quotes are because I am not really in business, and don't accept money. I also don't advertise that I can fix W*****s. Part of the reason I don't promise is that I don't know how much longer it will be possible to keep such systems functioning. I always use the opportunity to show Puppy in action. Today was no exception.) This is close to a worst case.

First problem, can't boot into anything except a damaged XP system. Once in that system, can't use the Internet. Attempts to boot Avira rescue CD fail. Can't mount USB flash drive to extract Spybot S&D. I drop back to my super multi-boot floppy, and use it to boot up Zigbert's Stardust 013 on CD. This is basically Puppy 4.3.1, with all the known bug fixes, plus a nice new look and control center. Among those fixes is one that allows F-prot scanner to install and update properly.

I set up Stardust 013 on the machine, connect to the Internet, update F-Prot, mount the XP partition, and scan it. Lots of problems, some with file system, some with scanner, but also a number of known pieces of malware. The important ones affecting my ability to fix things turned out to be: reboot.exe, registry-first-aid, a downloader, and a Trojan named dropper. Norton Anti-Virus was installed, but protection had expired. It had then been infected itself. (Black hats are targeting popular security software which has expired. Once they see what the update accomplishes, they know about a vulnerability. There's always someone out there who didn't maintain protection.)

Once I have the first crop removed or renamed, I can go back to booting Windoze. There follows a long series of operations to remove things which may be legitimate, but are impeding analysis. HP Imaging Software keeps trying to update things that are not vital. So do Adobe, and Apple. Registry First Aid gets removed, but not without a fight. Norton goes, since it isn't doing any good.

I install Comodo Internet Security (free download) because this machine has an Internet connection which transfers about 1/2 MB/s. (After various malware definitions are added, the total size is around 135 MB.) I also install the most critical missing W*****s updates.

Next, I run a scan using Comodo. This goes on for several hours, turning up another 19 threats; most are real. Some got in through unpatched vulnerabilities in M$ Office, some through Netscape 7.2, some through IE7, and so on. I install even more Windoze updates.

While the slower operations are running, I uninstall a variety of things that don't serve any present purpose. With the latest and greatest java run-time environment, and Firefox 3.6, we probably don't need half-a-dozen previous versions and older browsers. I run Comodo System Cleaner to straighten out the registry left from all the previous operations. It fixes 400 errors.

At this point I'm ready to run Trendmicro HouseCall as a cross-check. There's a reason for this high level of suspicion.

Commercial malware is a paying business which runs QA checks to make sure new products will be missed by most scanners. If 30% of them catch it, it fails, and gets sent back for rework. This tells me that having found a dozen real threats, not just some security company hyperventilating about threats, I can be almost certain there will be some missed. (If I am in doubt about which are real, I can submit files to competitors for analysis.)

A second angle is that new malware often uses old malware as a payload. You can remove the old threat without suspecting it was put there so you would find something besides the program which infected your machine. While the payload is working, it uses tried and true methods of extracting money from the opportunity. The criminal doesn't have to create any new infrastructure to support it.

Anyone can tell me this kind of work is uneconomical. If I wasn't especially curious, I wouldn't waste my time. I have an answer to the problem which satisfies me. I'm still waiting for the rest of the world to catch on.

p.s. the battery on that motherboard was dead, too.

Sylvander
Posts: 4416
Joined: Mon 15 Dec 2008, 11:06
Location: West Lothian, Scotland, UK

#109 Post by Sylvander »

1. " The first option got the missing or corrupted <Windows root>\system32\hal.dll file every time"
Which means there WAS a problem, something external to or beyond the HDD boot arrangements.
This might have been a wrong name for the Windows partition in the floppy boot.ini file...
Or a problem with [access to?] the Windows folder or its contents...
e.g. The one it turned out to be = the Windows partition file system.

2. "I have no idea what chkdsk /r did or what it did it to"
It scanned all the partition file systems it could find, and fixed/repaired any faults found.

3. "booted right into XP with no aids"
So ONE problem found and fixed. :D

4. "Are you saying I still may be able to find what the virus was?"
Yes. :D

cthisbear
Posts: 4422
Joined: Sun 29 Jan 2006, 22:07
Location: Sydney Australia

#110 Post by cthisbear »

As a last resort ComboFix is mentioned on Whirlpool forums.

http://forums.whirlpool.net.au/forum/10

////////////////

Once again I cannot speak too highly of the Falcon boot cd.
Not an MS fan but this has a live scanner...updates itself..
probably Windows Defender.

Used System restore on a Vista laptop yesterday..>perfect.
Stops autoruns etc.

http://thepiratebay.org/torrent/5283510 ... s_9.9__ERD


He's just released a 50 meg special...no ERD

http://thepiratebay.org/torrent/5373232 ... _Kon-Boot_

This bloke is good.

////////////

The Avast Bart boot cd does not like less than 256 megs ram.
Better at 512. So running Avast in Windows can probably have issues.

Again...try Hitman Pro...and the one time fix.

//////////

Sometimes though.. you need to re-install.
But use driver magician lite to back up the drivers.
Runs off most windows rescue cds...Ubcd4Win etc.

Chris.

User avatar
Aitch
Posts: 6518
Joined: Wed 04 Apr 2007, 15:57
Location: Chatham, Kent, UK

#111 Post by Aitch »

Jerry

I would recommend adding a simple firewall program to any PC which doesn't have one, but runs Windoze

Here's free version of Kerio, which is an easy install - you just need to 'enable 'programs you want to allow on the web, via a popup

http://www.321download.com/LastFreeware ... opf215.zip

I would also recommend MYWOT, [can be used for IE or f/f] and Firefox
browser

MYWOT warns you about dangerous sites with a red warning, and you just back out or close the browser

http://www.mywot.com/en/download/ie

Firefox, use an early version 2.xxx for Win95/98 and it should be OK

Firefox is less likely to be attacked than IE, IMO

http://www.oldapps.com/firefox.php

If you cannot get your Windows setup stable, you will need to save any files you want to keep, to CD or USB drive, and re-install

Good luck - good progress!

Aitch :)

User avatar
obxjerry
Posts: 390
Joined: Fri 29 Jan 2010, 22:34
Location: Louisville, Kentucky

#112 Post by obxjerry »

I'm still writing back after a quick read through :twisted: My son blamed all of this on his Norton AV expiring and going to free Avast on my recommendation (it runs faster). His old machine is now being stored as a spare. He's using mostly Puppy and some Ubuntu.

Our ME and 98se machines are going to lose their ability to connect to the internet while running W*****s. There just isn't enough virus protection for them. If their AV doesn't work with the old OSs why are they vulnerable to the current viruses?

The plan is evolving for the 2 remaining 2 XP machines. I can see that they will be unsupported, out-dated systems in the near future. We are new to Linux and we were already using box stock Puppy 95% of the time. I do see Linux users use firewalls so firewalls are in my future.

It still is in my mind that I should be able to find the virus on the floppies. Is that possible? Is there a safe way to do it? I did see there is a bit of data on a floppy that normally is not written over but can carry a virus. So, what they are saying is a formated floppy is still not completely safe.

Right now I would say I'm taking a breather, waiting for the other shoe to drop and avoiding W*****s. I hope that works. I have been looking for the way to label this thread SOLVED. I haven't found that yet.

Thanks for your help.

User avatar
Hugh
Posts: 138
Joined: Sat 24 Jun 2006, 21:53
Location: Imperial Warmongering Dystopia of Amerika

Don't forget to 'clean' the opticals...

#113 Post by Hugh »

What an incredibly interesting discussion!

All of us who've used Windows have experienced
very similar mysterious 'crashes.' While our first
inclination is to believe we've been infected with
some dread virus, in truth, such crashes are in
fact nearly 'normal' for Windows.

As Windows is used it slowly 'grows' and accumulates
numerous odds and ends that it eventually is
unable to sort out and goes 'berserk.'

Many believe it is all part of the 'design.'

Thankfully, Puppy is a well behaved alternative!

By the way, those CD and DVD drives do require
frequent 'cleaning' either with one of those special
disks or with a Q tip and isopropyl alcohol. The tiny
lens gets dusty in use and unless cleaned regularly
will result in errors or the inability to read certain of
your CDs and DVDs.

To assure the most reliable 'burn' when making your
CDs and DVDs always burn at the slowest possible
speed. High speed burns are notoriously difficult
to be 'seen' by many CD and or DVD Roms.

Thanks to all who contributed to this very informative
saga!
Various Old Computers 100MHz - 1.9GHz
First Puppy: 2.00 Presently: TahrPup 6.0.3
HDD Filesystem: FAT32/ext3; Frugal Always

User avatar
Aitch
Posts: 6518
Joined: Wed 04 Apr 2007, 15:57
Location: Chatham, Kent, UK

#114 Post by Aitch »

Jerry

The way to mark the thread 'Solved', simply requires you to open your very first post in the thread, and add 'Solved' to the Subject line, above the post which reads 'I got wacked real good x 3'
You just need to click the edit button, next to 'quote', top right to do any edits/changes on any post you make

thanks

Aitch :)

User avatar
prehistoric
Posts: 1744
Joined: Tue 23 Oct 2007, 17:34

free advice

#115 Post by prehistoric »

obxjerry wrote:I'm still writing back after a quick read through :twisted: My son blamed all of this on his Norton AV expiring and going to free Avast on my recommendation (it runs faster). His old machine is now being stored as a spare. He's using mostly Puppy and some Ubuntu...
As I described before, there are deliberate on-going attempts to exploit systems where Norton AV protection has expired. Avast! is reasonable protection, but far from foolproof. I've seen one system which was clobbered on which it was up-to-date and working. I'm not sure I'd depend on any single company for protection, if my business depended on running Windoze.
Our ME and 98se machines are going to lose their ability to connect to the internet while running W*****s. There just isn't enough virus protection for them. If their AV doesn't work with the old OSs why are they vulnerable to the current viruses?
Because even modern versions of Windoze support enough old programs to inherit vulnerabilities. Support for older versions was dropped because it was uneconomical. Both systems you mention are extremely vulnerable.
The plan is evolving for the 2 remaining 2 XP machines. I can see that they will be unsupported, out-dated systems in the near future. We are new to Linux and we were already using box stock Puppy 95% of the time. I do see Linux users use firewalls so firewalls are in my future.
On Windoze systems you absolutely, positively must have a firewall, and the one that comes with the factory version is very poor. On Puppy, I use the default firewall all the time, unless I need to turn it off to set up a network.
It still is in my mind that I should be able to find the virus on the floppies. Is that possible? Is there a safe way to do it? I did see there is a bit of data on a floppy that normally is not written over but can carry a virus. So, what they are saying is a formated floppy is still not completely safe.
I don't know exactly what you've done, but I would bet on there being something in the boot block. You may also have a floppy which has been infected, but not formatted. When you scan for malware, enable any option to scan boot blocks. If you boot a separate system and scan from that, you completely avoid risks to your Windoze system. That's why we use things like that Avira Rescue CD.

One reason you might not find anything is that many nasty tricks with floppies went out of fashion some time back. Many companies selling security products didn't exist at that time.

Even if you don't find the culprit there, it had to come from somewhere. You should have found either that program, or another nasty which delivered the payload, on the original machine responsible.

User avatar
RetroTechGuy
Posts: 2947
Joined: Tue 15 Dec 2009, 17:20
Location: USA

#116 Post by RetroTechGuy »

obxjerry wrote: Our ME and 98se machines are going to lose their ability to connect to the internet while running W*****s. There just isn't enough virus protection for them. If their AV doesn't work with the old OSs why are they vulnerable to the current viruses?
The big problem with the old systems is that you can't update Firefox past 2.x (which is no longer supported by many sites).

I ran my Win98 box "bare naked" for quite some time (not when Win98 was common, but removed the virus protection a couple years back, and ran it until quite recently). It was amusing to see an error like "upgrade your operating system to run this program <i.e. virus>..."

Basically, the more "helpful" an operating system is ("I'm automatically running this program for your convenience"), the more likely it will help a virus infect your machine.

User avatar
RetroTechGuy
Posts: 2947
Joined: Tue 15 Dec 2009, 17:20
Location: USA

Re: Don't forget to 'clean' the opticals...

#117 Post by RetroTechGuy »

Hugh wrote:What an incredibly interesting discussion!

All of us who've used Windows have experienced
very similar mysterious 'crashes.' While our first
inclination is to believe we've been infected with
some dread virus, in truth, such crashes are in
fact nearly 'normal' for Windows.
Yup. Some of the newer tools do a fair job of keeping the registry in order, but eventually the only solution is to scrub the system and do a fresh install (or to restore from your backup that you made, shortly after you did your last reinstall ;) ).

I have had pretty good luck with CCleaner on my Win98 box (and it seems to be fine on my XP system, too - but that always makes me a little more nervous).
As Windows is used it slowly 'grows' and accumulates
numerous odds and ends that it eventually is
unable to sort out and goes 'berserk.'
I always called it "Windows Inertia". It accumulates "mass" until it simply cannot move...
Many believe it is all part of the 'design.'
To keep you in practice, by continually reinstalling the OS?... :twisted:

"Microsoft: What do you want to reinstall today"

User avatar
obxjerry
Posts: 390
Joined: Fri 29 Jan 2010, 22:34
Location: Louisville, Kentucky

#118 Post by obxjerry »

Thanks Aitch. I had done just what you said but when I tried preview it didn't change the main heading so I didn't think that was the way. I went the extra step and it worked.

The computers are working better. About all I'm doing with W*****s is making the XPs smaller in order to install Linux and copying data off.

Ubuntu was installed on my son's computer when I bought it and it impressed me. I have burned Kubuntu and plan to put that on our highest spec. computer even though it gets used least.

I am still just blown away that Puppy starts out so small and stays that way. If it grows you know exactly why. The computer I'm on now has Puppy that is using 430mb. I bet I've used that much space in one XP update session and who knows what that data is?

Thanks again,
Jerry

User avatar
Aitch
Posts: 6518
Joined: Wed 04 Apr 2007, 15:57
Location: Chatham, Kent, UK

#119 Post by Aitch »

Jerry

An urgent tip! Don't try and re-size windoze partitions without first running scandisk/chkdsk and then defrag or you could get a whole heap of new problems
when you reboot if windoze ever tries to do a scandisk/chkdsk, exit out by pressing a key, wait for it to fire up windoze, then run it manually first
Experience tells me this saves losing installs

btw - well persevered!

Aitch :)

User avatar
prehistoric
Posts: 1744
Joined: Tue 23 Oct 2007, 17:34

follow-up report

#120 Post by prehistoric »

Here's a follow-up report on that other clobbered system I rescued recently.

It now runs chkdisk without problems. I'm not completely through with malware scans, but the things I'm finding are less immediate threats than trash left by previous problems.

As predicted, that system was not clean after one scanner found and removed 19 threats. I ran BitDefender's on-line scan for the first time (in my experience.) It reported an old email virus, Win32 bugbear.a. Most copies of this I see are later variants. Moral: even old threats can resurface.
---------
Added: Still later, I ran yet another scan. Earlier scans had been restricted to things I needed just to run programs under Windoze to recover. This time I found another 8 threats hidden in restore points. If you have read this thread from the beginning, you might have noticed that I did not recommend restoring the system to an earlier date. At one time this was a great way to deal with problems. Today, we have some malware which infects the restore point, or the restore operation itself, so that it will install malware even if there was none on the machine at the time a restore point was created.
---------
I tried BitDefender's on-line scan because there was a problem with one of the system calls needed by the Trend micro "HouseCall" on-line scanner. This is not terribly surprising, as I have pulled out all kinds of things to stop further infections from occurring while I'm working. One way I've simplified the problem is to uninstall the HP software which goes with the Officejet multifunction machine. I'll install the latest downloaded version after I've got everything else clean and stable.

The reason is two-fold: it had been updated repeatedly, and was not consistent; malware authors have exploited programs doing automatic updates to install their own code. I've seen this twice before with HP imaging software. The problem is not bad security by HP, it is the widespread availability of this software on poorly protected machines, plus the high value to criminals of corrupting an updater with a legitimate function.
----------
Added: Did reinstall this, and it looks good. The problem did not come from HP.
----------
There was also that fake picture which installed malware. This illustrates a large and growing problem. With cell phones having cameras and micro-SD cards, in addition to all the regular digital cameras and mp3/4 players, it is very easy for an infection to be transmitted through the exchange of pictures or video. It is all too likely someone plugging in, for example, an 8 GB SD card from a camera will tell the security software to skip the malware scan if they want to show people a picture right away.

I don't see malware becoming much more sophisticated in a coding sense, but the "social engineering" aspects are getting slicker. The juvenile mischief of writing floppies that immediately disable a machine, as in the main problem on this thread, runs in the opposite direction. There is no way too ignore it, and it did bring in people who will go looking for other problems.

Psst! Hey, real crooks, maybe you should hunt down the guy who did that. He's hurting business..:twisted:

Final advice for Jerry: use external drives to store complete backups of your system partition. If they aren't connected, they can't be infected. Plan things out in advance so you can do a complete restore if the OS is suspect or the main disk dies. Maintain your skills with Puppy, so you can impress people by rescuing data from compromised systems.

If you don't get hit, after doing such preparation, don't feel cheated. From long experience, I can tell you there are mysterious forces at work which will hold evil at bay if you are well-prepared to cope.

If you don't believe in these forces, I can only suggest that the next time you are waiting for an important phone call you get in the shower. In my personal experience, that vulnerability almost always draws a call.

Regards,

prehistoric

Post Reply