Well, it took almost 20 years but it finally happened. It's
amazing what a small batch file (maybe not so small - it has
vaporized... read on) can do.
Those bored with my gargantuan posts can just skim over most of
it (please read the SUMMARY paragraphs), but I would really
appreciate specific answers to the four numbered questions, as
well as general advice. (My KF is disabled, so go for it,
denizens of aforementioned ;-)
Using Compaq EVO-D510 SFF. One 80GB HD, one CD burner, a riser
card with two horizontal PCI slots, and (re: a post from a
couple of months ago) the Compaq BIOS does not allow for more
than one device per IDE channel, I checked - relevance below.
I was running 98SELite, as always, using Opera, on two or three
sites requiring javascript etc. - otherwise I would have been
using OffByOne and this /probably/ would NOT have happened.
The firewall was on, of course, but the ESET internet
monitor/file monitor were /not/, as I do not believe that is
REALLY necessary - I /may/ have to reconsider that position ;-[
Script sentry was on, but it does nothing with batch files, just
scripts of all kinds. And it works great.
>>>SUMMARY (2 paragraphs)
So, everything was fine, when all of a sudden my mouse and
keyboard became possessed.
Basically, it was like the left and right mouse buttons and Ctl
and Alt keys were being randomly activated, FAST. I turned off
the ADSL modem, and ran TaskInfo. There was a batch file in my
temp (either c:\temp or C:\win\temp) directory which was NOT
supposed to be there. It was running. I shut down the machine. I
can't remember the file's exact name, but it was short, 5 or so
letters, no weird numbers or figures.
Boring (yet important if you don't want to ask about stuff I
*already DID*) details:
When I restarted, the same thing was happening. (And it remains
the current situation, although one might say the virus is /less
active/ than it was (as if it had a built-in downward slope).
But the machine is unusable, plus, while the virus appears
fairly non-malignant, just annoying (ALL user control is NOT
affected, you just have to click and move the mouse a lot - and
fast, to get in between the virus activity bursts) - who knows
what it will do next? So far my data appears intact [AOT the
system] but FUD are definitely having a big party at the lair of
thanatoid at the moment.
So after the reboot, I ran TaskInfo again - no batch file
running.
I searched for batch files on the C: drive and only found the
few I wrote myself and have always had. /Nothing new./
I ran Restoration (still the only undelete program that is not
5-20 MB and actually works BETTER than any of /those/),
searching for a bat file, nothing. I thought the file might have
deleted itself after doing whatever it was supposed to do. It
must have, since it is NOWHERE to be found, deleted or present.
I rebooted, deleted the swap file in DOS, and rebooted again.
Virus still active.
I thought, OK, I'll reboot to XP - XP should be OK, right? Same
thing. Then I realized XP reads several files on C. Then I tried
to boot Damn Small Linux into memory, it would not (I /have/
successfully run it in the past).
I went back to 98, and, since I just happened to update the ESET
NOD32 signatures a couple of hours earlier, I ran it. The virus
seemed to be paused by ESET running, but while ESET scans boot
sectors and all memory, as well as everything else, it found
nothing.
I went back to XP and ran MalwareBytes Anti-Malware (or whatever
it's called - I only see 8.3 names now...) - nothing on either
C: or the XP partition. While running MBAM, virus activity
appeared to pause as well.
To make a long story a /little/ shorter, I removed the battery,
cleared the CMOS (several times, different hard- and soft-
methods), first restored an old saved MBR, then (when that did
not help) created a new MBR, and finally restored an Acronis
image after moving current C: data to another partition.
I should mention that the virus /appears/ inactive in DOS. Well,
who knows - but nothing weird /seems/ to be happening AFAICT.
Well, when the restored Acronis image (which I believe contains
the MBR in the first sector - I am extremely ignorant about some
basics) exhibited exactly the same behavior, I started thinking
WHAT the damn thing could have infected ELSEWHERE than the HD...
Unless it is hidden /somewhere/ and ****s up the MBR every time
I boot - I don't know much about viruses and what they are
capable of.
I tried Damn Small Linux again - this time it DID boot and ran
in memory...
Get ready for this...
Sigh...
DSL /appeared to exhibit/ - although to a CONSIDERABLY smaller
degree - a little of the SAME behavior - a DOS-like window
(whatever they're called in Linux) would highlight some lines of
the window depending on mouse movement, and I /think/ a menu or
two popped up without any clicking on my part. And the mouse
appeared to be malfunctioning. (OTOH, having only ran DSL a
couple of times before, and for a VERY short period of time, and
already being in a somewhat altered state of mind, my perception
/may/ have been mistaken - I don't know.)
So...
Having never had to deal with this kind of thing before (I got a
virus in a POP email once, but it could not do anything, maybe
because I had all scripting disabled at the time - it was hell
to remove though), I thought the following:
>>>QUESTION 1. It could not have messed up the processor -
first, I do not believe that is /possible/, second, DOS seems to
run fine.
>>>QUESTION 2. AFAIK, the level1 and level2 caches clear upon a
reboot, just like RAM does. I considered whether a batch file
could alter properties of RAM and stay in it ANYWAY, but I do
NOT believe that is possible. Also, there are NO RAM cleaning
utilities on the Hiren's disk which would lead me to believe RAM
is irrelevant as long as one reboots.
>>>QUESTION 3. Since I wiped the CMOS/BIOS (I still do NOT
understand the difference between them, although some people
have tried to explain to me), and have restored (a few times)
and then /written/ a new MBR, PLUS restored a perfect Acronis C:
image, I have NO idea where this damn thing is living.
I have the option of removing the CD burner, deleting all the
root files on the /current/ booting 80GB drive ("drive Z") using
XTreeGold, putting drive Z on the CD drive's IDE channel, and
putting in my old 40GB ("drive X") on the other - booting - IDE
channel. (I believe I don't have to physically move the Z drive,
just deleting all c:\root files will make the machine boot from
the X drive, but just in case...)
BUT - since what is happening is quite inexplicable, I am afraid
of contaminating my X drive. If the virus /is/ somewhere on the
Z drive, and neither ESET nor AntiMalware can find it, I would
imagine it is quite capable of infecting the X drive even if the
computer boots from the X drive and the virus is somewhere on Z
which one would /think/ would then just contain data - and a
disabled OS (well, two disabled OS's 98SELite and XPSP3).
Further infection /might not happen/ if I just use a LFN utility
in DOS and copy stuff to the other HD, or copy to Flash drives
using a DOS USB driver from Hiren's, but then again it MIGHT.
IOW - ATM I am afraid to put the X drive on the other IDE
channel or use Flash sticks.
No one likes this kind of stuff, even I am no exception... I am
VERY seriously considering running BeOS/Haiti or some Linux [for
all internet access, but ultimately for everything, possibly]
from a flash stick (fortunately, my BIOS allows booting from a
USB device) but ATM I am not putting /anything/ in the possessed
computer.
[Although - apart from the indignity and misery of being screwed
and humbled in my arrogance - I have really enjoyed being
internet-free for a few days... Do y'all think internet use
might be addictive? ;-#)
(I spent an enjoyable 6 hours destroying a fourth old phone in
two years while trying to fix it. Soldering isn't as easy at 55
as it was at 25... But getting soldering iron /burns/ sure is...
Fortunately I know about the "run for the freezer and press the
burn against something at -18° Celsius" instant cure.)]
But I digress...
I have /heard/ of viruses which resulted in "the entire computer
going in the trash" but I am not ready to accept that - although
I might /have/ to accept it /eventually/.
>>>QUESTION 4:
IF the infected computer /is/ history, and I build a new one and
using a Linux version which can read FAT32 Windows partitions,
copy various standard format data from the infected HD into
Linux - I am risk free, aren't I?
I am sorry this was so long but I thought I might as well
provide ALL the information I could think of.
I am writing this on my trusty 1997-built PI 166MHz running 95B
and sending it via a 33.6 modem.
I will do some Googling and look around some security sites but
I thought I might as well humbly ask for suggestions.
IOW...
P L E A S E H E L P!
--
You know, that viruses never really sleep
And that hackers never blink their eyes
And that, you know, cats are the only ones who blush
And that the ****in' web... is just to die
- thanatoid (with /profound/ apologies to Lou Reed)
Similar Threads
Linear Mode
