I got wacked real good x 3 (SOLVED)

For discussions about security.
Message
Author
Sylvander
Posts: 4416
Joined: Mon 15 Dec 2008, 11:06
Location: West Lothian, Scotland, UK

#46 Post by Sylvander »

1. "The 3 files for the boot floppy are just copied to the disk?"
(a) Yes, just follow the instructions given in the webpage.
i.e.
"Format a floppy disk using a Windows NT 4.0, 2000, XP or Server 2003 machine (not windows 9x!)
format a: /u
"
So you are using a formatted floppy.
Then...
"Copy NTDETECT.COM and NTLDR onto the floppy disk"
So you now have 2 of the 3 needed files on the floppy.
Then...
"Download this BOOT.INI file and put it onto the floppy disk"
This boot.ini file is a special customized copy that offers 8 choices of partition to attempt to boot.
Now you have a formatted floppy with the 3 necessary files on it.
SO...

(b) Boot the floppy.

2. "do I right click the boot.ini and it creates the boot floppy?"
No...
Just copy the 3 files to the floppy as above.

3. "Any help there to get to a EBCD?"
I'd need to host somewhere my copy of the [FREE] 1st version of the EBCD.
[If anyone wants it]
The present EBCD version is version 2 I believe = no longer free, and not so comprehensive [lots of things it doesn't do anymore].

User avatar
prehistoric
Posts: 1744
Joined: Tue 23 Oct 2007, 17:34

progress

#47 Post by prehistoric »

This is indeed progress. At this point, I'm guessing your MBR was clobbered. Malware doing this is not hard to create. It can even get clobbered by accident. Zapping the BIOS is harder.

We are still dealing with suspect machines. If you succeed in booting, via the route Sylvander has suggested, you will still be running a suspect Windows installation, and should exercise caution. Sylvander is probably more experienced than I am with Windows, and operates in your time zone. Listen to him.

If I were there myself, I would start with freedos, because that is the weakest system that would allow me to check the BIOS, and gives any possible malware as little to work with as possible. You could hide an elephant in a typical Windows installation.

All good utilities to flash a BIOS have an option to save the current BIOS before flashing. This can be used for another purpose. If you make a backup file of the current BIOS, and compare it bit-for-bit to the BIOS image file downloaded from the OEM site, you can tell if the BIOS is okay without risking a flash operation. (The BIOS ID you get during POST should allow you to download exactly the right file.)

Once you are sure you have a good BIOS, the next order of business involves recovering data and eliminating infections. When you recover data, I recommend using a non-Windows OS like Puppy first, because the malware was tailored for Windows.

p.s. You haven't stopped anyone from posting. The forum software allows overlapping posts. The apologies are about possible confusion.

User avatar
obxjerry
Posts: 390
Joined: Fri 29 Jan 2010, 22:34
Location: Louisville, Kentucky

#48 Post by obxjerry »

I did make a boot floppy. It didn't boot the hard drive, there was no CD in the tray. I'll type in the text it produced later.

Prehistoric, thanks for the clarification on posting. You folks have been so kind I hated to think I had caused problems.

The same place the computer tells me I can press del to go to bios it gives me a way to awdflash if that helps.

There is rain forecasted for here late today. Today is break the garden day+Jerry likes to eat=little computer time today. Sorry to put this on hold.

Take care

Sylvander
Posts: 4416
Joined: Mon 15 Dec 2008, 11:06
Location: West Lothian, Scotland, UK

#49 Post by Sylvander »

1. " It didn't boot the hard drive"
(a) Try each of the 8 partitions in turn.
If it fails to boot Windows on each of the 8...
Then, either...
(b) The Windows folder isn't functional.
[Doesn't exist or is corrupted]...
And/or...
(c) The BIOS cannot see the HDD.
[BIOS or its config settings are messed up, or the controller isn't doing its job (configured off?), or some hardware problem]
Make sure the CMOS jumper isn't in the "clear" position.
And/or...
(d) The partition File tables have been messed up [deleted?]
I think perhaps TestDisk.exe run from a bootable floppy may be able to make a non-bootable HDD bootable once again.
I've used it to do just that, and it was amazing.
I think it restored [a good/backup copy of] an improperly deleted, or corrupted, partition or partition file table.
But then [prior to that], I was able to boot Windows using the Windows Universal Boot Floppy to boot Windows...
But it only succeeded in booting Windows after I'd edited the boot.ini file to change the name of the Windows folder [from WINNT] to "WINDOWS".

(e) A BootIT NG bootable floppy is a great tool [I have it but don't use it lots].
I believe it automatically fixes certain basic problems, so that people are astonished that just running it fixed their problem.
All hopes of a fix by such as these depend on the BIOS being able to see the drive.
This may confirm whether the drive [and its parts] can be seen.

User avatar
prehistoric
Posts: 1744
Joined: Tue 23 Oct 2007, 17:34

award flash utility

#50 Post by prehistoric »

The normal award flash utility does have options to save the current BIOS without programming the BIOS with any new binary data. On the command line, this uses the /Pn and /Sy options. If you have the checksum, from the manufacturer's site, you can check for BIOS corruption without either flashing or saving the existing BIOS code, using /CKSxxxx, where xxxx is the hexadecimal value of the checksum. How this works with awardflash in the BIOS depends on the manufacturer. You will need to download the manual.

This may be wasted effort, but I'm being extremely cautious.

If, as we suspect, the MBR has been clobbered without any other damage to the Windows installation, the NT bootloader will still be installed on the partition with the OS. (You can also install GRUB to the partition holding Puppy, in addition to installing it to the MBR, so it can be used if the MBR gets zapped.) The problem is that the partition table was likely clobbered along with the MBR. In that case, you need the recovery tool suggested above. Hopefully, you won't need more advanced methods, though you should know these exist, if needed.

That still leaves the problems of recovering your important personal files, and removing any possible malware which caused the problem, but things are now moving in the right direction.

User avatar
obxjerry
Posts: 390
Joined: Fri 29 Jan 2010, 22:34
Location: Louisville, Kentucky

#51 Post by obxjerry »

I was fooling with the computer during a water break. I booted D Small Linux. I found a place to mount the hard drive. I can't find much but I did find a list of DSL system stats. The last line says /dev/hda1 size 9.5G used 8.5G available 1.1G use 89% /mnt/hda1

The first disk I made wasn't exactly as prescribed. I couldn't find NTLDR and NTDETECT on my computer so I found them online. I also had problems with boot.ini I found instructions online that said to cut and paste to notepad and name and install the file to the floppy. They gave the file that would be used for W*****s on a partition by itself. It was handy so I took it.

Later when I reread posts in the forum I saw I should try all the options so I burned another disk. That one is partly in French. If I chose first disk, first partition it gives me the boot option page in French. Normal boot takes me to a blue screen I haven't seen before that says Microsoft (R) Windows (R) Version 5.1 (Build 2600: Service Pack 2) 1 System Processor [256 MB Memory] That holds about half a minute then reboot. The next 7 options give me 7 lines of text in French that I'm pretty sure says there's a problem.

The first disk I made ends up with about a half page of text. I can type that in if needed.

I'm going to have to reread the 2 posts preceding this one a few more time before I understand them.

Thanks

User avatar
obxjerry
Posts: 390
Joined: Fri 29 Jan 2010, 22:34
Location: Louisville, Kentucky

#52 Post by obxjerry »

Sorry Double Post

User avatar
prehistoric
Posts: 1744
Joined: Tue 23 Oct 2007, 17:34

over to Sylvander

#53 Post by prehistoric »

Jerry,

If DSLinux says the file system is 89% full, it is accessing the partition. This suggests your machine might not be in bad shape at all, but we still need to be cautious about malware. I'm a little uncertain about that boot disk you describe.

As I said before, I can't easily test boot floppies on Windows machines. Maybe Sylvander can help.

His suggestion about bootITng sounds good. (Check the link.) I can download that without buying it, even if I can't test. I'm not sure what the download will do, but they say there is a free 30 day trial. This could be enough to get you back to where you were.

User avatar
obxjerry
Posts: 390
Joined: Fri 29 Jan 2010, 22:34
Location: Louisville, Kentucky

#54 Post by obxjerry »

I've reread the 2 posts.

The computer is a custom build. The motherboard has AK75 REV A printed on it but I haven't found a manufacturer name. From what I've seen online AK75 could be made by DFI, Aopen, Free, ect. Is there a way to find out who made the board so I know where to look for a manual?

Prehistoric, You mentioned something about Puppy on a partition. I know when I am discussing 5 computers there is bound to be confusion. This computer is XP only.

I checked out BootIt ng. I'll have to weigh my options before I shell out $35 for software. I can see that in the case of recovering valuable data it would be well worth it. Am I wrong in thinking I may be able to easily format the drives and install Linux. At this point being rid of W*****s and all it's problems sounds great.

Take care

Sylvander
Posts: 4416
Joined: Mon 15 Dec 2008, 11:06
Location: West Lothian, Scotland, UK

#55 Post by Sylvander »

Click here to be taken to the download page for the ebcd061p.iso file that can be used to make the full PRO version of the EBCD bootable CD.
Anyone who wants a copy is free to download it I believe; it was originally given as a FREE disk.

Boot the EBCD...
At the 1st menu hit <Enter> to be taken to the 2nd menu...
The "Create Boot Floppy" program is on the 2nd menu.
Hit the down arrow key to get the the "Create Boot Floppy" [or something similar], and hit <Enter> with a floppy disk in the FDD.

User avatar
prehistoric
Posts: 1744
Joined: Tue 23 Oct 2007, 17:34

Oops!

#56 Post by prehistoric »

Jerry, I don't know where I got the idea you were in the UK. Sorry for any extra confusion. I usually find enough without trying.

On bootITng, the $35 is only if you keep it after the 30 day free trial. I was suggesting it might repair your installation to the point you would no longer need help. You can install something else long before the free trial ends. Sylvander has another good suggestion.

I've used AK75 boards from Aopen, and that would be my choice for the company most likely to have the correct BIOS. Go by the full BIOS version number shown at the bottom left of your POST screen. If you match that, you will have the correct BIOS.

If that Windows system is like most old systems I have seen filling 89% of the partition, it is infested with malware. If you are able to recover any files you want from the suspect machine, I would say you can wipe Windows and install Puppy without problems. On a home-built machine, there aren't likely to be any sneaky bits of code hidden in dark corners of the disk.

Do you have a Puppy CD already burned, or is that a problem at this stage? If you have the CD, it is simply a matter of using the boot floppy you already have to get to the CD, then doing a repartition (with Gparted) and install according to normal instructions. If you finish up by installing GRUB to boot Puppy, you will have a complete stand-alone system without needing any commercial software.

User avatar
obxjerry
Posts: 390
Joined: Fri 29 Jan 2010, 22:34
Location: Louisville, Kentucky

#57 Post by obxjerry »

Thanks Sylvander. I'm downloading it now. I'm not sure when I'll get it burned to cd. I'd think surely in the next day or two. I'm thinking my son had an external CD writer a few years ago.

I don't see how my son has had XP, I know for 7 years, contained to a 10gb hard drive. My wife and I have a hard time keeping ours contained to 40gb. I have no idea what all that data is.

It's still his computer. I don't know what he wants to do with it. A good friend of his built it as his personal computer so it may have some sentimental value.

I have 2 Puppy CDs. The laptop wouldn't run 4.3.1. I had to burn a version for older hardware for it. When the computers crashed I was working on getting Kmymoney2 to replace Quicken.

The download is finished. One more step toward my destination.

Thanks folks

Sylvander
Posts: 4416
Joined: Mon 15 Dec 2008, 11:06
Location: West Lothian, Scotland, UK

#58 Post by Sylvander »

md5sum = bdacb69f384af3ab50f2ad716b4f3460 EBCD061P.ISO

Forgot to supply that. :oops:

My copy here is 60.4MB

By-the-way...
If you make and boot a BootIT-NG bootable floppy...
When asked if you want to install to the HDD...
DON'T do that, but skip that instead.
Can't remember the exact wording.
You then go to "Working with partitions".
If you're thinking of trying to see what it can do, I'd need to boot my copy and remind myself of its features.

Sylvander
Posts: 4416
Joined: Mon 15 Dec 2008, 11:06
Location: West Lothian, Scotland, UK

#59 Post by Sylvander »

Thread = Free download: I made Bootable floppy [ptedit+partinfo+edit.com+DOSprompt+info.txt]
File = pteditSE.zip

I made this way back in 2002!
partinfo displays the HDD's partition info, which is automatically saved to the info.txt file on the floppy disk.
ptedit displays the HDD partition info, which can be edited [to fix problems?]
You'd need the help of an expert if [like me] you're not one yourself. :D

This might tell you:
Whether your HDD can be seen...
And whether the partitions look good or not.

Sylvander
Posts: 4416
Joined: Mon 15 Dec 2008, 11:06
Location: West Lothian, Scotland, UK

#60 Post by Sylvander »

1. FYI:
When at the 2nd menu in the EBCD...
Do NOT be tempted to use "Recover MBR" if your Windows OS is XP or later.

It works fine on Win2000 [the only Windows I have installed], so I've used it a lot on my own PC.
It writes a generic MBR in less than a second.
Great for recovering a working MBR [that will boot Win2000, but] that doesn't include GRUB.

-----------------------------------------------------------------------------------------------

2. I'm reading my BiNG quickstart pdf file and it says that BiNG will [at "view MBR"], write a "Std MBR".
Not sure if that's the same as the EBCD [but I think it is], or different.
The bootitng.pdf says:
"Std MBR is equivalent to fdisk/mbr which creates the small program to boot the active partition. "
Which I believe isn't suitable for use with XP and later. [Same as the EBCD?]
But then my BiNG is an older copy.

3. Useful floppies.

User avatar
Aitch
Posts: 6518
Joined: Wed 04 Apr 2007, 15:57
Location: Chatham, Kent, UK

#61 Post by Aitch »

You/others may find this useful, too
Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore. Thus it is possible to:

* repair a damaged system,
* rescue data,
* scan the system for virus infections.

Just double-click on the rescue system package to burn it to a CD/DVD. You can then use this CD/DVD to boot your computer.
http://www.free-av.com/en/tools/12/avir ... ystem.html

or maybe too many cooks? :lol:

Aitch :)

User avatar
obxjerry
Posts: 390
Joined: Fri 29 Jan 2010, 22:34
Location: Louisville, Kentucky

#62 Post by obxjerry »

First, the good news. I learned how to and ran my first md5 checksum and they matched. My EBCD061P.ISO file says it has 6334054 bytes. I hope that will make a 60.4mb copy. Sylvander when you said I wasn't an expert I'll bet you didn't know how much you were understating the fact.

Aitch, don't you worry about too many cooks. I need all the help I can get. I talked to my wife. It seems formating the hard drives isn't as good an option as I thought.

Until I hear something else I'm headed down the EBCD path. I'll try something else if that doesn't work.

As always you have my thanks.

Jerry

User avatar
prehistoric
Posts: 1744
Joined: Tue 23 Oct 2007, 17:34

recovering data without spreading malware

#63 Post by prehistoric »

While we seem to be on the road to recovery here, there are some loose ends left. You still have three machines with suspect hard drives, several flash drives which may have been infected, and a number of floppies very likely to be infected. The malware doesn't appear to be sophisticated, but it is malicious.

You have an easy solution for data storage which has no data you want to preserve, format the medium and start over. This is likely to be the case for those floppies. I'm assuming your wife told you about data she wants preserved on those machines.

Where you want to preserve data, you should avoid copying it from suspect media using Windows -- the malware is designed to use features of Windows to propagate itself. My advice is to get Puppy running on a machine which can read those media, mount them and copy data which is personally meaningful to you to clean media.

Do this even if you expect to use malware removal tools to clean those media; it is always possible for things to go wrong when dealing with malicious programs. If anything does go wrong, you will have your most meaningful data safe, all you will have to replace is commercial software, etc. Failure may cost you some time and money, but nothing irreplaceable.

When you have saved those things you want to preserve, consider the time and effort of cleaning the media versus the time and effort of starting fresh without worries. In many cases, you will decide to nuke the remaining data by reformatting.

Always keep track mentally of those things which remain suspect. If keeping a mental list is unreliable, you may want to keep a list on paper. I have the habit of placing suspect items in a separate bag or box while I am working, so I am never in doubt about which items need to be checked before they can be considered clean.

When you run a scan on suspect media, make sure you are working from a known-good system with the latest version of the scanning software and the latest updates to malware definitions. In the last year, I have seen a new crop of malware which specifically targets popular anti-virus tools.

Malware which pretends to be a malware-removal tool has been around for years. Know your supplier, and check that you got the correct tool from their site, not a fake tool from a site spoofing theirs. There should be posted checksums for tools you download. Check that you actually got what they are publicly displaying.

Finally, when the crisis is over, and you are running a small system where you have a pretty good idea what is going on, remember to turn off the paranoia. Your family will thank me for this suggestion. :wink:

User avatar
Aitch
Posts: 6518
Joined: Wed 04 Apr 2007, 15:57
Location: Chatham, Kent, UK

#64 Post by Aitch »

2nd that, prehistoric

....and if you've got awhile, it might not be a bad idea to re-read the thread from the start, as there maybe some things you overlooked in your earlier flustered state of being.....you seem more stable now, even if the PCs aren't yet, [if that doesn't sound too unkind?]

Aitch :)

Sylvander
Posts: 4416
Joined: Mon 15 Dec 2008, 11:06
Location: West Lothian, Scotland, UK

#65 Post by Sylvander »

1. I burned the Avira rescue disk, but couldn't manage to get a good display on my monitor; just a scrambled screen no matter what display settings I chose. :(

Anyone know what I may be doing wrong?

2.
(a) By-the-way, this [version-1] EBCD cannot work with the contents of NTFS partition file systems.
This limitation only applies to tools that work with [e.g. read/write/manipulate] file systems.
Works with earlier systems = FAT32 etc.
The prog to make the floppy is OK of course, but [for example] MS Scandisk [GREAT prog] will only scan FAT[32], not NTFS.
The newer version-2 that isn't free CAN access NTFS, but has very limited functionality I believe.

(b) Don't get afrighted by the white text on a black screen at the 1st menu.
Just hit <Enter> [and make a couple of suitable config choices] to go to the 2nd menu where there is a much nicer colorful GUI, with a mouse cursor if I remember right.

Post Reply