I need virus help

WhiteMountains · Post by **WhiteMountains** » Thu May 01, 2003 11:02 am

Ive been working on a virus for over a month now and its got me totally stumped. Can neone direct me to a good online link for some help? This thing has killed 2 of my pc's w/out removable bios and 2 bio chips on this pc. I need help FAST. Or maybe someone here can offer a little help? Heres some of my facts;
1. When I start my pc the virus starts a bios thru my video card before my award bios info comes up on the screen.
2. I cannot format it out because it has write protected itself.
3. Numerous Dos and windows virus scanners cannot find it.
4. Not sure but I have a feeling that its running a clone of my OS.
5. I think the virus is living in 3 folders, my reasoning is that when delete 1 of 3 folders i cannot because its in use by another folder. (an endless loop thing)
6. I tried to run a disk manager program in dos that opened with bm.bat and everytime I tried typing it in my keyboard would type bm.exe and bad command.
7. My device man shows pnp bios,bios extension board and its also showing compatability mode paging and MS-DOS compatability mode.

If neone can help at all I would be deeply appreciative.

Norm · Post by **Norm** » Thu May 01, 2003 11:31 am

1. When I start my pc the virus starts a bios thru my video card before my award bios info comes up on the screen.
- Video card bios posts before mobo bios, that's normal.

2. I cannot format it out because it has write protected itself.
- clear CMOS using the jumper (see your mobo manual), use a boot floppy to fdisk (remove the Primary Partition, then recreate it, and reboot and format it) all from the boot floppy. And make the boot floppy on a machine that is not infected.

5. I think the virus is living in 3 folders, my reasoning is that when delete 1 of 3 folders i cannot because its in use by another folder. (an endless loop thing)
- Again, use a boot floppy so you are working independant of the system on C:, and delete those folders using the deltree command in Dos (deltree.exe is in C:\windows\command folder. Copy it to the boot floppy. Again, use an uninfected system to do this.

If you continue to have this problem after doing the above, let me know and I'll email you a file that will wipe out your master boot record, and your bootsector so you can start fresh.

Note, fdisk, and format will erase all data on the drive.

WhiteMountains · Post by **WhiteMountains** » Thu May 01, 2003 11:39 am

It may be a day bfore I get back I've got to find someone w/a clean machine.

but I thank you in advance.

Norm · Post by **Norm** » Thu May 01, 2003 11:44 am

Good luck

I will be in and out as I service some clients today and tommorow. I'll keep an eye on this thread as time permits.

Norm · Post by **Norm** » Thu May 01, 2003 12:35 pm

In case you look in here again....

I reread your first post and believe your problem may be fixed by just formatting your drive. If you were trying to format it from Dos mode, instead of a floppy boot disk, that's why it wouldn't format for you.

Try doing just a format from the boot floppy, and disregard the rest of my above post, unless the formatting doesn't help.

If you have an old 98 startup disk around that hasn't been on your system in a while it may not be infected.

ghettoside · Post by **ghettoside** » Thu May 01, 2003 9:03 pm

I would do one more thing than Norm: First wipe the drive in dos (using clean boot disk as Norm said)
type 'wipe 0' at the prompt.
then partition and format.
I also have a dos utility that will wipe out the mbr, in case you need it before Norm gets back.

Post by **YeOldeStonecat** » Fri May 02, 2003 4:53 am

Originally posted by ghettoside

I also have a dos utility that will wipe out the mbr, in case you need it before Norm gets back.

You can do that with FDISK right off a bootable floppy...

FDISK /MBR

Post by **YeOldeStonecat** » Fri May 02, 2003 4:53 am

Originally posted by ghettoside

I also have a dos utility that will wipe out the mbr, in case you need it before Norm gets back.

You can do that with FDISK right off a bootable floppy...

FDISK /MBR

Post by **YeOldeStonecat** » Fri May 02, 2003 4:53 am

Originally posted by ghettoside

I also have a dos utility that will wipe out the mbr, in case you need it before Norm gets back.

You can do that with FDISK right off a bootable floppy...

FDISK /MBR

TonyT · Post by **TonyT** » Fri May 02, 2003 7:30 am

SO NOT FORGET TO MAKE THE FLOPPY WRITE PROTECTED!!!!!!

I recently cleaned up a a friend's machine, partitioned it and reformatted, then loaded win2K on it. I had a custom boot disk I made, with all needed utilities, including smartdrive, which is not put on a boot floppy when making it inn win98.

I had forgot to write protect the floppy (actually I accidentally flipped the switch when loading the disk) and the virus on the box wrote to it, trashing it as I was attempting to fdisk! Luckily, the owner had a good boot disk, but without smartdrv on it. Took about 2 hrs to fdisk and format the 40GB drive!

ghettoside · Post by **ghettoside** » Fri May 02, 2003 11:28 am

echo
echo
echo

as far as I know, when you use fdisk to delete a partition, then format, those utilites do not really wipe the drive, the previous data is still recoverable until every cluster on the drive has been overwritten.
that's why I recommended using wipe first. did a comp with a virus once that after using fdisk to delete partition, on repartition, verify drive integrity hung at 41%, went back to 0, then hung at 76%, went to 0, then hung at 83%, went back to 0, then finally completed. wtf, so tried it again, got hangs again, then did wipe. then fdisk partition verify ran smooth.
the utility I have is supposed to be more powerful than fdisk & format, really wipes the drive, more so than wipe command, and the fdisk switch to erase the mbr isn't going to make fdisk any more powerful.
I thought that's why Norm mentioned his file and not the fdisk switch, but maybe I thought I saw a puddy cat too....
Norm???

ghettoside · Post by **ghettoside** » Fri May 02, 2003 11:34 pm

Ooops! I goofed.
I use a custom boot disk I made several years ago, started thinking about it, just made a win98Se startup disk and wipe isn't on it (nor is format for some reason). I remembered that I downloaded wipe, so what I have is: wipe, to overwrite entire HD; Zap, to overwrite first 128 logical blocks on HD; and one other downloaded that's supposed to be more powerful (I don't know about that, never needed yet). believe I downloaded that one from wilders, not sure. maybe wipe or zap is what the dos master was going to send.

Norm · Post by **Norm** » Fri May 02, 2003 11:53 pm

From my experience fdisk /mbr does NOT always rewrite the mbr. If fdisk sees the mbr as good, it won't rewrite it. I've ran into problems on machines where the partitions were not removed in the proper order, leaving some behind intact, and fdisk couldn't fix the problem.

The file I have was made by a friend. It's a bunch of Dos debug commands for wiping the mbr, and bootsector completely (freeing up any old partitions of any type). Not the entire drive.

The file is a .com file, but was made from debug machine code commands.

If anyone wants it, I'll put it up, and send you a link privately through PM's. It's a deadly file in the wrong hands, and I want no responsiblity for it's use.

Also, if you do Download it, your anti virus will probably see it as a virus. AVG sees it as the "silly T virus. I guess since it wipes the mbr it is marked as a virus, I don't know. But it works everytime and does it's job well.

Shinobi · Post by **Shinobi** » Sat May 03, 2003 12:03 am

If all else fails...
I would go to your hard drive vendor, and try to find a
"low level" formating utility, this way, it will take out the hard drive partitions, and anything else.

Make sure that there are no viruses on the floppy disks that you are using! you might be re-infecting your computer that way.

Good Luck,
Shinobi

ghettoside · Post by **ghettoside** » Sat May 03, 2003 12:10 am

I'll take a copy of that file.
also question for the dos master:
after I run wipe, when I partition drive, and if I create an extended part, I then have to set active partition to make HD bootable. I know its probably silly question , but does that mean the mbr and entire boot sector been's wiped out?
thanks Norm.

Norm · Post by **Norm** » Sat May 03, 2003 12:25 am

Originally posted by ghettoside
I'll take a copy of that file.
also question for the dos master:
after I run wipe, when I partition drive, and if I create an extended part, I then have to set active partition to make HD bootable. I know its probably silly question , but does that mean the mbr and entire boot sector been's wiped out?
thanks Norm.

Not sure what you mean. But if you mean is the bootsector, and mbr stay wiped out after you create your partitions, NO. Fdisk rewrites the mbr when you create the partitions, without even using the /mbr switch

fdisk looks at the mbr, and if it sees it missing, or corrupted it will rewrite it. But if it sees it as good, even if it's not quite right as far you are concerned, it will leave it alone.

Does that answer your question?

ghettoside · Post by **ghettoside** » Sat May 03, 2003 1:10 am

what I meant was: when fdisk prompts me to set active partition or drive will not be bootable until doing that, does that mean that my wipe utility erased the old boot sector?
this question depends on your answer to first question. is there any way to know if old boot sector was wiped out, or if fdisk didn't recreate it?
received the boot wiper file too.
thanks.

Norm · Post by **Norm** » Sat May 03, 2003 1:30 am

1. Honestly, I'm not sure, since I always delete the partitions before any formatting. I 'think' that the mbr gets wiped out when you remove the primary partition.

2. There is a way, but it means you'd have to have backed it up, and then compare the before and after of what is in that sector. Not easy, and really not worth the effort IMHO.

http://www.killdisk.com/

There is a nice Dos tool (free) there for wiping the entire drive.

Shinobi · Post by **Shinobi** » Sat May 03, 2003 1:49 am

Active@ KillDisk conforms to US Department of Defense clearing and sanitizing standard DoD 5220.22-M. You can be sure that once you clean up with Active@ KillDisk, sensitive information is purged out forever.

Impressive, very impressive.

Shinobi

ghettoside · Post by **ghettoside** » Sat May 03, 2003 1:57 am

me too, used to delete partitions before format, now am in habit of deleting parts, then wipe, then fdisk and format.
thanks for the other link.

Norm · Post by **Norm** » Sat May 03, 2003 1:57 am

Originally posted by Shinobi
Impressive, very impressive.

Shinobi

Only the pro version is "US Department of Defense clearing and sanitizing standard DoD 5220.22-M."

But if you run the free version about 7 times, it is the same thing (I think)

ghettoside · Post by **ghettoside** » Sat May 03, 2003 1:59 am

i noticed that too. can't afford the pro, so I'll try it 7 times next time I need it. lol

WhiteMountains · Post by **WhiteMountains** » Fri May 09, 2003 6:14 pm

I think ill give kill disk a try, I tried max blast and wrote O's to the disk,then formatted but no luck. BTW, I also ruined 2 others PC's with virused floppies but im almost positive I had them write protected,but on those particular boxes I found a new line in the bios "write to floppy=enabled". Is this possible?