I got wacked real good x 3 (SOLVED)

For discussions about security.
Message
Author
User avatar
technosaurus
Posts: 4853
Joined: Mon 19 May 2008, 01:24
Location: Blue Springs, MO
Contact:

#16 Post by technosaurus »

Barry has recently posted some stuff on his blog for flashing the BIOS using freedos and some other utils... fortunately his usage was just to fix minor hardware compatibility issues with the gecko edubook

http://bkhome.org/blog/?viewDetailed=01400
Check out my [url=https://github.com/technosaurus]github repositories[/url]. I may eventually get around to updating my [url=http://bashismal.blogspot.com]blogspot[/url].

User avatar
obxjerry
Posts: 390
Joined: Fri 29 Jan 2010, 22:34
Location: Louisville, Kentucky

#17 Post by obxjerry »

OK, I've gone from looking for leads to having to chose my next move, great improvement. I tried SBM but it didn't boot, Like most people working with floppy disks is a distant memory. I'm thinking I should have done more than copy the download to floppy. I had trouble accessing the manual but I have it now. It's hard when you're working with your third and fourth string computers

CMOS lists IDE primary master as Maxtor 2RO10 H1 and IDE secondary master as CD-ROM 52x/AKH. In BIOS sequence they're HDD and CD-ROM. The CD drive has a Puppy CD that has always booted in the past. Messing with BIOS is new territory for me so I'll need baby steps on that.

It's confession time. I see 3 possible ways the computers got infected. First, they all caught it in the wild.

Second, my son brought his infected tower. I connected and disconnected it in one of my systems several times and, without thinking, I connected it to our network. The second computer I discovered with the virus is the one that was out when his was in. The two could not have been connected at the same time.

The third and I think most likely, I spread the virus with floppies. His computer was running XP. I burned a start disk on our XP computer. His said it couldn't find the COMMAND.COM file. I put it back into ours, searched for the the file, didn't find it, so I burned it again. Now his does boot to A command prompt. I didn't boot our computer with the floppy. I know that's a no-no. I thought I was safe as long as I didn't boot up from the floppy.

When he brought his computer it had a Windows 98 startup disk in it. The computer that his was taking the place of is a Puppy and ME dual boot. I'm thinking ME burns the same startup disk as 98 so I swapped it back in and burned a startup disk over that disk.

In addition to those floppies I have 2 floppies that get Basiclinux 1.8 running. I'm sure more can be done with these tools than I know how to do.

I'm thinking if the virus is carried on the floppies it should be able to be found there. Is that a possibility?

No memory sticks have been swapped. I was thinking ahead. If the computers were beyond repair, what could I salvage? In my researching viruses on line, I saw the bit about RAM not being 100.00% safe and I passed that on.

Since there has been no RAM switch I'm thinking there is no possibility of a CL latency problem. Am I right?

I don't have 3 opticals connected. In my desperation to get the CD drive to boot I made it first, second and third on the boot sequence. Of course that didn't help.

Honestly, I don't know what the symptoms were on the second of our computers to get the virus.

The third, I had caught up all of the XP updates, ran an Avast scan, downloaded Kaspersky Rescue Disk for the other computers and was running it on that one. It booted fine. I set it to scan the C drive (hard drive). It saw the hard drive as D. It scanned a couple of hours getting about half way through and froze. I restarted it, It ran a couple of hours making it a little further and froze again. Then it wouldn't boot so I shut it down.

We have been watching our financial accounts and changing passwords. Nothing sinister so far. We didn't have firewalls, don't allow file sharing and were running Avast free edition. It worked up until now. Using wireless I see 2 to 4 networks with no security at all so there are worse than me.

I realize all concerned are anxious to get to the bottom of this. Unfortunately, my time has limits. This may take a while.

Thanks as always

User avatar
obxjerry
Posts: 390
Joined: Fri 29 Jan 2010, 22:34
Location: Louisville, Kentucky

#18 Post by obxjerry »

Sorry Double post

amigo
Posts: 2629
Joined: Mon 02 Apr 2007, 06:52

#19 Post by amigo »

You need to 'burn' the floppy using 'dd', not simply copy the file to the floppy.

dd if=floppy.img of /dev/fd0 bs=512

User avatar
prehistoric
Posts: 1744
Joined: Tue 23 Oct 2007, 17:34

creating floppy from image file

#20 Post by prehistoric »

What amigo means is that, under Linux, you need to open a terminal (as root) and use the command:

Code: Select all

dd if=floppy.img of=/dev/fd0 bs=512
to create the SMB boot floppy. On most systems the block size defaults to 512 anyway.

We're assuming you extracted the img file from the zip archive first.

You want to be careful with dd because it will do exactly what you tell it, even if you tell it to destroy a hard-drive filesystem. It writes to the raw device.

If you have a W*****s system running, you can create the boot floppy by downloading and running an exe file which does the writing for you.

Your copy operation merely placed data inside an existing file system on the floppy. It did not create the parts of the file system needed to make a bootable diskette.

Once you get a bootable floppy, you will need to learn a little bit about the program. Exactly what you do with it will depend on exactly what configuration you have, and which things are working. Learning to do this in a situation like yours is awkward. It is much easier to learn on a system without serious problems before you venture into unfamiliar territory.

User avatar
Aitch
Posts: 6518
Joined: Wed 04 Apr 2007, 15:57
Location: Chatham, Kent, UK

#21 Post by Aitch »

obxjerry

I realise you're getting a lot of advice, but I think we all understand the principles we are trying to convey

If you aren't able to get a linux running to do a dd from console, but have a boot floppy that will get you to dos, try rawrite2

http://www.fdos.org/ripcord/rawrite/rawrite2.exe

Or, if you can only get a windoze setup running, try rawwritewin, which will need unzipping before use

http://www.fdos.org/ripcord/rawrite/rawwritewin-0.7.zip

more info on smartbootmanager here

http://linux.simple.be/tools/sbm

I found this SBM image more reliable than the one at sourceforge, but can't explain it
Writing an image to floppy, is like burning a CD ISO, you don't just copy files to the floppy, as the all-important boot info will not be installed & it won't work

SBM will enable you to boot from any device, though I'm puzzled that you confusingly say,
CMOS lists IDE primary master as Maxtor 2RO10 H1 and IDE secondary master as CD-ROM 52x/AKH. In BIOS sequence they're HDD and CD-ROM.
and later,
I don't have 3 opticals connected. In my desperation to get the CD drive to boot I made it first, second and third on the boot sequence. Of course that didn't help.
For preference, if possible, 1st, floppy, then CD, then HDD, is a simple sequence for you to use, but SBM will overcome even bios problem device booting

& I hope you're remembering to save settings in bios?

Simple to overlook the obvious, when you're a bit flummoxed

Good Luck

Aitch :)

out_fisherman
Posts: 17
Joined: Tue 06 Oct 2009, 05:19

One more thing....

#22 Post by out_fisherman »

obxjerry -

Seems obvious, yet might get overlooked.....after following the
advice on HOW to write a boot disk, be SURE to set the little
write-protect tab on the diskette B4 you put it into ANY machine.
This in fact is hardware write-protect, which no virus can get
around as it is 'AND-ed' with the "write" signal line within
the floppy drive. If you don't do this, the virus might instantly
infect the floppy as well. It might well make the boot sequence
crash (cause they can't "get-you") but then you will have another
clue. (If in fact your BIOS is corrupt, it may try to copy itself to any
drive it detects which is WRITEABLE, like the floppy.) Not being
able to write the floppy may be a condition the virus-writers
didn't plan for - resulting in a crash. Just my $.02.

User avatar
obxjerry
Posts: 390
Joined: Fri 29 Jan 2010, 22:34
Location: Louisville, Kentucky

#23 Post by obxjerry »

Bootable disks is not something I do a lot. I do have a XP laptop with a floppy drive. Am I right in thinking I can open the exe. file I downloaded and burn that to floppy? Or do I need to burn an image? The manual makes it sound much more entailed than that.

The hard drive is the Maxtor. It has XP on it. I'm thinking my tool of choice is Puppy on the CD. I can set boot sequence any way I want and get out of BIOS, go back in to BIOS and it's still the way I set it. The CD-ROM 52x/AKH, I'm thinking is my only optical drive. I said, I want it, I want it, I want it. It doesn't make sense but I did it. Floppy will boot (if it has a bootable disk) unless it is not in the boot sequence AND check for 40 or 80 lines is disabled.

Write protecting the floppies is something I thought of. At 40 cents apiece I don't know that I would take any chances.

out_fisherman
Posts: 17
Joined: Tue 06 Oct 2009, 05:19

Wacked...

#24 Post by out_fisherman »

Concern over topic-for-forum here, but with my background
I can't help it......to moderators - I apologize.....

obxjerry

It can get confusing swapping drives around, from one
machine to another, and STRAPPING MATTERS.
You have 2 IDE channels, each with a MASTER and a SLAVE
scheme. Pulling a CD out of machine-x who is strapped as
'master' and putting it into a machine where it is the second
drive on the same channel as the main HDD won't work -
your main HDD is (and should be) "master"
I hope I'm not being condescending here, but we all get
confused once in a while. Best bet for CD drives is
"cable select" - then it will attach itself to the proper port.
(Provided your main HDD is NOT strapped 'cable-select')
I always strap my HDD as 'master'.

Now for your XP laptop - if you can write a bootable floppy
with it (and this PC is not infected), go for it. I don't know what
.exe file you have, but XP can write you a bootable floppy
easily. It has been a while for me with XP, but I know the option
is out there...under system tools, I think.
Once you get that floppy, set the write-protect tab right away.
There is no reason any program needs to write to it.
If you can boot from it, you will wind up at a screen which
looks like:
A:\
Type "C:\"

If you can get there, then you need to know a few DOS
commands to get your data off the drive and transfer it to
somewhere else, using the DOS copy command. At this point
you may/may not be able to access the place/drive you want
to transfer data to. From here on it may get complicated - and
like I said before......I would just FDISK the thing, install
some flavor of Linux, and sleep well.

I would be very interested to find out the resolution here,
as this seems to be a very nasty virus. Having fixed computer
motherboards for several years, I am familiar with the failure
modes - but this doesn't fit any of the symptoms I can remember
Keep us posted....

User avatar
obxjerry
Posts: 390
Joined: Fri 29 Jan 2010, 22:34
Location: Louisville, Kentucky

#25 Post by obxjerry »

out_fisherman, thanks for your interest and help. I am assuming the drive swapping you are talking about is when and if I get to removing hard drives and putting them in another computer.

So far, with the startup disks I have, typing from the A prompt [letter]:\ gets me "invalid drive specification". Hopefully when I have a working SBM disk I'll get somewhere.

User avatar
Aitch
Posts: 6518
Joined: Wed 04 Apr 2007, 15:57
Location: Chatham, Kent, UK

#26 Post by Aitch »

obxjerry

See my previous post, which explains SBM writing to floppy
It should NOT be an exe, but an image

unless they've changed things on the sourceforge site

....but the link to SBM that I gave is an image, which has to be written as a bootable image to floppy with either of the utilities in dos/rawrite2 or windoze/rawwritewin, or the dd command in linux

I don't quite understand why mention is made of the CD drive replacement, but if you are simply exchanging one CD drive for another, to see if it will boot, then, since yours is already master, it is on a separate cable to the hard drive, so it won't matter if the replacement is set to master or slave

visual guide, should you need it

http://www.helpwithpcs.com/upgrading/in ... corder.htm

For now, getting an SBM boot disk working, is a good start

Aitch :)

out_fisherman
Posts: 17
Joined: Tue 06 Oct 2009, 05:19

Drives....

#27 Post by out_fisherman »

obxjerry-

Drive-swapping.....No - your assumption is wrong....
CD drives, as well as Hard-Disk Drives, have a strapping
option on their backside, right by the place where the
cable plugs in. Often it will look exactly like the strapping
options of a hard drive. You might see things like
"MS SL CS" or the like, which stand for Master, Slave,
Cable Select.....I'll try to lay it out here - you have 2
channels, each of which has a Master and a Slave -
Logically, it looks like this:

Primary -
-Master
- ....Slave
Secondary -
- Master
- ....Slave

Rules - you cannot have 2 drives (either HDD OR CD-ROM)
strapped as the same level on any channel.
- you CAN have both strapped to Master IF they are
on different channels (IE - One on Primary, one
on secondary).
How to tell ?? Each channel is on a separate CABLE.
If your cpmputer has only ONE big, fat cable from the
motherboard to the drives, then you must strap the
drives for Master/Slave combination. OR - add another
cable to the motherboard....if you have this option.
In this day of cheaper-is-better, I wouldn't be surprised to
see motherboard MFRs just omit the second IDE channel.
Oh well - what can you do? Just keep in mind the idea that
have 4 possible combinations, 2 for each of 2 channels.
I hope I have helped....somehow.

out_fisherman
Posts: 17
Joined: Tue 06 Oct 2009, 05:19

Sorry Aitch - -

#28 Post by out_fisherman »

I guess I was composing while you were responding -
didn't mean to walk on you......

User avatar
prehistoric
Posts: 1744
Joined: Tue 23 Oct 2007, 17:34

a blast from the past?

#29 Post by prehistoric »

We've had some confusion about all the advice, and I may have contributed some. What I was talking about with the exe file was, if he used a W*****s machine to create the boot floppy, he could download an exe file designed to create a boot floppy on such a machine. In this case, he can avoid cli commands. Though, under Linux the command is very simple, as amigo showed.

Another approach here, since our friend is familiar with Puppy, would be to avoid the W*****s world as much as possible, and boot Puppy on CD, or USB drive, using a wakepup2 floppy. I've used this on machines where the BIOS didn't cooperate with me, but I've never tried it when the BIOS has been clobbered. Does wakepup2 need anything from the BIOS beyond the ability to boot from floppy?

I am now thinking this malware is "a blast from the past". There was a similar thing over a decade ago which was spread by transferring floppies from one machine to another -- which rarely happens with new machines. Having both the hard drive and CD boot routines clobbered in the BIOS, while still being able to boot from floppy, makes sense if the virus needs the floppy to reproduce itself. We could have the original floppy virus resurfacing, or we could be seeing old malware as the "payload" of recent malware, which normally spreads over the Internet.

User avatar
obxjerry
Posts: 390
Joined: Fri 29 Jan 2010, 22:34
Location: Louisville, Kentucky

#30 Post by obxjerry »

Just to check in. I am engaging in Einstein's definition of insanity, "doing the same thing over and over and expecting a different outcome" i.e. fiddling with the one computer. I'm looking online for reports of viruses similar to the one I have. I'm researching use of SBM. I'm trying to wrap my head around strapping and what has raised a red flag concerning that.

I do reread the posts here and things do sink in the eighth or ninth time I read them. Sorry Aitch, I blew by your SBM advice the first few times. Rawrite, RawWrite and I have met before and we ain't friends. Maybe this time will be better.

I have always used InfraReader to burn image disks. It is on one of the unusable computers. I couldn't remember the name so that took some searching on the web. I don't see that it burns floppies. No help there.

Computers I have up and running; I have a laptop with a CD drive (not CD-R), no floppy. It is running Puppy and 98se. It had been in the closet for years until Puppy brought it back to use.

I have a laptop with a CD drive (not CD-R) and a floppy drive. It is running XP Pro. I paid $50 for it less than 2 weeks ago. It's fine couch surfing but pushed too hard the processor gets hot and it freezes. I have some Arctic Silver 5 and have improved it but I doubt I can boot Puppy yet.

I can't swap the floppy drive to the other laptop. Both have USB ports and I do have an uninfected flash drive.

I did find this http://www.pcguide.com/vb/showthread.php?t=41498 It's an old post by Sylvander on how to compile a SBM bootable floppy. That's a possible path if RawWrite doesn't work for me.

On the plus side we've seen no indications any info has been mined from our computers.

I'm multitasking as I write this. Something I don't do well so I'm sure there are things I'm leaving out.

Take care

User avatar
RetroTechGuy
Posts: 2947
Joined: Tue 15 Dec 2009, 17:20
Location: USA

#31 Post by RetroTechGuy »

snowshaker wrote:If you got pics and stuff on the old drives, get a $20 USB enclosure and mount the drive. Then read it with another machine and save off what you need. Caution. Don't use a windows PC. Boot up Puppy or Linux or use a MAC. If the drive has an autorun.inf virus, it will jump right onto your good windows PC. Maybe that's what happened to you already?
I have a couple of these, and am quote happy with them:

http://www.newegg.com/Product/Product.a ... 6812119152

(note that these devices generally want the drive jumpered as "slave")
As for viruses spreading via RAM sticks, that's just urban legend. RAM loses its data when powered down. Maybe your article was
Though by USB stick is a different matter...
speaking of the BIOS memory. If you could stick a virus in there, it stays with the chip. What could it do? Well, I have read where one guy claim his BIOS shows his picture when the PC boots, so that could be one way for a virus to keep you from booting into CD.

More likely though that you just have a bad CD drive, given that its tray was stuck.
And by pulling the HDD, you can eliminate faulty hardware as the access issue.

If you have Puppy running (e.g. a pupsave on a USB and a live boot CD), I put together this collection of links to make the latest ClamAV run on Puppy 4.3.1 (again...sorry...I haven't played with building .pets yet -- just run each of the Debian .deb files, and ClamAV will work -- I haven't tested this on older Puppy versions, but it's likely to work there as well)

http://murga-linux.com/puppy/viewtopic.php?t=53171

However, while you have the drive mounted (perhaps even before scanning for viruses), copy all the personal files off. There is always a chance that a scan will stress the hardware enough to kill the drive, if it's weak.

If you have XP on the drive, your files are _likely_ to all be buried under "Documents and settings'.

User avatar
prehistoric
Posts: 1744
Joined: Tue 23 Oct 2007, 17:34

creating boot floppy automatically

#32 Post by prehistoric »

obxjerry wrote:...I have a laptop with a CD drive (not CD-R) and a floppy drive. It is running XP Pro. I paid $50 for it less than 2 weeks ago. It's fine couch surfing but pushed too hard the processor gets hot and it freezes. I have some Arctic Silver 5 and have improved it but I doubt I can boot Puppy yet...
Blast it, Jerry! If you have a machine with a floppy drive running XP Pro, you only need to download the exe file for a program which creates boot disks, run it, and follow instructions. You need not wrestle with rawwrite.

If I get a chance to test it, I'll put an floppy image file in a self-extracting archive program designed to write floppies (sfx144), and upload it. My problem at the moment is that I have a bunch of machines either without W*****s or without floppy drives.

If anyone else has a link to a neatly-packaged boot floppy image, they can post it here. It would also be nice to have a Puppy boot floppy in a self-extracting program which writes floppy images, then no nooby ever has to deal with rawrite directly to get Puppy running.

Sylvander
Posts: 4416
Joined: Mon 15 Dec 2008, 11:06
Location: West Lothian, Scotland, UK

#33 Post by Sylvander »

1. "Blast it, Jerry! If you have a machine with a floppy drive running XP Pro, you only need to download the exe file for a program which creates boot disks, run it, and follow instructions."
Yep, that's how I did it.
It was REALLY EASY to do.
Just downloaded sbm.exe whilst working within Windows [2000Pro]...
Then [once the download was complete] right-clicked on the file and chose "Open"...
Whilst there was a formatted floppy in the FDD...
And the EXE program created the bootable SBM floppy disk. :D

User avatar
obxjerry
Posts: 390
Joined: Fri 29 Jan 2010, 22:34
Location: Louisville, Kentucky

#34 Post by obxjerry »

:D :D :D :D :D Thanks folks. I have it and it boots. I had the exe file on my computer so I was half way done before I started. A few easy clicks and I was there. Best part, no RawWrite.

Sorry I didn't show all my cards sooner.

I'll keep you posted.

Thanks so much,
Jerry

User avatar
Aitch
Posts: 6518
Joined: Wed 04 Apr 2007, 15:57
Location: Chatham, Kent, UK

#35 Post by Aitch »

obxjerry
Sorry I didn't show all my cards sooner.
Some people like complicated

Others, like me, prefer easy

Glad you got there in the end :D

Aitch :)

Post Reply