VIRUS

[Ismael_Ramos]

Two or Three weeks ago I received a virus thru the Internet that infected my main computer.

It is a "Boot Virus" that installed itself into my hard drive and into the motherboard BIOS, and that does not allows windows to boot or to be re-installed in that hard drive again.

I tried to erase it, by formating the hard drive and by running F disk several times, but there is no way to get rid of it.

It looks like it installed hidden files into the hard drive that are impossible to erase.

To make it worse, since my computer was unable work I decided to put together another computer using another motherboard. Before installing the hard drive into the computer I "Fdisk" the hard drive to eraze all partitions and then installed the hard drive into the "new" computer. When I run Fdisk in the new computer "Fdisk" the gave me a message that indicated that "Fdisk was going to modify the boot sector" and to answer yes or no. Thinking that saying yes was going to correct the problem I answered yes, and I ended with another motherboard infected.

And, to make it even worse, I tried with a new hard drive, and it infected it also, since the virus was already in the motherboard.

Now both of this hard drives are the main hard drives for Windows and programs only, not for data, which is a different (separate) hard drive, and I don't know if that third hard drive (the most important, because it conteins all the saved data) is also infected.

Now, what all this has to do with BAD SUPPORT?

I was running Norton Anti-Virus, which I always check for updates in a daily basis, and Norton did not detected any Virus at all. The virus seems to be new and very powerfull, because it damage the motherboards and the hard drives. The motherboard built-in anti-virus "PC-cillin" indicated it is a Boot-virus.

I contacted Symantec Norton Anti-Virus and their response was basically that they do not care. I asked them if I can send them the Hard drives to them so they can check if for what type of virus it is and if possible for the virus to be eliminated and they indicated NO, that they don't do it.


What I can do. Symantec do not care if I got a virus, even while using their product and they don't help me in any way to get rid of it either. I don't know how I can get rid of the virus in the motherboard, if possible.

Someone told me that by installing an updated BIOS in the motherboard I can get rid of the boot virus in the motherboard. Is this true? How is done? What about the one in the hard drives? How I can get rid of it, if possible? Or, did I had to buy new hard drives and loose all the information that is still in the data hard drive?

How can I prevent this from happening again?

Don't tell me with Norton Anti-Virus, because it is a useless program, and from a Company that do not care at all about its customers or its problems.


Thanks in advance for your help or comments in this respect.

 

[rubikian]

Yup, just download the new BIOS from the mobo manufacturer and flash it using a boot diskette with the flash utility from the mobo manufacturer as well. That should clear the BIOS with a new BIOS. You can actually get the instruction on flashing the BIOS from the manufacturer website.

While for the hard drive, you can just put it in another system with anti-virus installed and scan that drive with that PC. Clean it and format it. That should do it.

I don't think Norton would care for your problem but I think you should send the drive back to the manufacturer instead of Norton.

 

[Playbus]

It is true that a virus can over-write your BIOS if it has not been protected (made read-only, effectively). But I was not aware that a virus could actually "exist" from within the BIOS. If anyone could give me more detailed information on this I would be grateful.

I've never heard of a virus that could survive the drive it is on being F'disked. I tend to keep up with this sort of thing as I am a Systems Administrator for my company.

Even if this is possible, there is no way at all that a virus could survive a Low-Level Format. If your motherboard does not have the ability (in the BIOS) to LLF then you should be able to find a program somewhere that will do it.

I'll post a link to one as soon as I find it.

Be aware that low level formatting can damage older drives or drives that are borderlining on failing anyway.



Fatal Error #449: Unable to process the "Go to Hell" command specified.

 

[Zoron]

Make sure that flash disk is also write-protected before you use it on that motherboard. It would also help to have a program (like WDClear) that will zero out the hard drive (low level format).

If in fact your motherboard's BIOS has been infected with a virus... then it's reinfecting the hard drive EVERY TIME YOU ACCESS IT. That is why you can't get rid of the virus. Once it's there, it's almost impossible to remove without flashing your motherboard's BIOS. If you're going to use the drive on another computer... it is important that you first write-protect the BIOS before proceeding; otherwise you end up in the exact same situation.

Symantec doesn't offer the type of service you're looking for. You can submit a virus to them to analyze, but they will not clean your hard drive and return it to you. I don't know of any AV software vendor that will. Remember one thing about AV software: UPDATE UPDATE UPDATE. With Norton check AT LEAST once a week for updated virus signatures. If your definitions are out-of-date, you have no one to blame but yourself. (Some could make the case that even if they are up-to-date you are still to blame since you didn't practice safe computing).

I personally use Panda Antivirus Platinum 7. It's less of a resource hog than Norton, and it has updates DAILY. Which means that if there's a new virus... chances are you will be protected from it much sooner than with Norton or McAfee. I don't have a problem with Norton, I just prefer Panda for my own use. It's important to keep on top of virus threats... I subscribe to a newsletter from Panda that keeps me abreast of all the latest virus/security threats.

<font color=red> If you design software that is fool-proof, only a fool will want to use it. </font color=red>

 

[Ismael_Ramos]

The problem is that is is a boot virus that infected the motherboards boot BIOS. One of the motherboards is on the way to the company (SOYO) for repair or replacement under warranty since it is only a week old computer.

The other infected motherboard I will have to fix it by myself since it is not under warranty.

2 hard drives that were used as "C" drives are infected also, but I do not care about them since only Windows and programs were in them, and I had the CD's to re-install them.

The one that worry me is the "D" drive that was connected to the secondary cable. Thats were all the years of work and data are saved. That's the one that worry me. Norton Anti-virus is unable to detect the virus on them. Only PC-cyllin is able to detect the virus on the "C" drives, but only indicates that they are infected with a boot virus, but does not indicates a name for it. I have not checked the "D" drive yet in any way but to my knowledge if it was a Troyan Horse type of boot virus they usually install themself in all the hard drives connected to the computer (or to all in the network).

It is scary, and I thanks god it was to my home computer, and not to my office computer, because we have thousands of computers connected to the main frames in our offices.

 

[Ismael_Ramos]

I know the virus infected the motherboard, because when I removed the infected hard drive and installed a new one in its place it inmediately infected it. In fact, the motherboard tried to tell me, but I was stupid enough not to understand. When I turned on the computer with the new hard drive, and when do do fdisk (from the Windows CD not a floppy, to later do format and install Windows) Fdisk gave me a message after creating the partitions that it was going to modify the boot sector, and to answer yes or cancel. I was stupid enough not to understand what this means, and I answered yes. I then re-booted the computer in order to format the new hard drive and install Windows. Sure enough the new hard drive started to act exactly like the old infected one by not finishing instalation of Windows, or booting into Windows.

Then I made another mistake, I did Fdisk to that hard drive again, shut down the computer, and installed a new spare motherboard. Well you know the story, another screw motherboard.

The new motherboard will be replaced or fix by Soyo under warranty, but I am in my own with the old one.


But, as I say before is not the two motherboards or the two "C" hard drives that worry me. Is the "D" hard drive were all the data and years of work are saved. I will not like to have to erase that hard drive, which maybe infected also. By the way the secondary cable were the "D" hard drive was connected was disconnected, to avoid the possibility of transfering the virus (if also infected) during the replacement of the hard drive and the replacement of the motherboard. The computer I am using right now is an older unit, but I do not have a backup of the information that is in the "D" (200GB) hard drive, so I may end loosing all that info, aproximately 120 gigabytes of info.

<P ID="edit"><FONT SIZE=-1><EM>Edited by Ismael_Ramos on 07/09/03 07:18 PM.</EM></FONT></P>

 

[Ismael_Ramos]

I contacted Norton by phone about the situation. I asked them if I can send them one of my hard drives to be scanned, so they can make a virus definition for it, and their response was that they do not scan customers hard drives for viruses. They want me to put the virus in a floppy and mailed to them. Now, how I am going to put the virus in a floppy and mailed to them? If I can do that I can get rid of the virus myself.

McAfee response was that since I am not using their product they cannot help me.


Now, my question is. From were they get their virus definitions if they do not scan customers hard drives that maybe infected?

Are they making the viruses themselves, so they can sell more Anti-virus software, or so they can keep charging you money for updating your virus definitions for the virus that they created themselves?


That is the only explanation that I had.

 

[Zoeymae]

A week or so ago, I did a stupid and got something called a PolyWin32 virus. I subscribed to McAfee's on-line service almost a year ago, so I scanned with that. It found it, but said it couldn't clean it. It did what it said it could do, and I was still having problems, so I scanned with it again and it found nothing. I then went to Panda's site and did the free scan, it found 2 files and cleaned them.
The virus messed up my e-mail, I got that straightened around with the Outlook's backup utility (I think thats what its called), and all has been okay.
I'm cancelling the McAfee service and getting whatever Panada has to offer.

 

[Zoron]

Be aware of one thing:

If you have your Boot-Sector virus check ENABLED in BIOS, it is ALWAYS going to tell you something is trying to modify the boot sector... which now has me wondering if in fact you have a virus. If you try to set up Windows with the boot-sector virus check enabled, it quite often messes up the install because Windows has no clue what to do when the boot sector is write-protected. Always DISABLE the boot-virus check in the BIOS when initially setting up Windows on a new or clean hard drive... otherwise you'll have problems. Personally, what I would do is find someone that has their BIOS write-protected (just in case) and an up-to-date copy of any AV software. Do a full scan of the suspect drive... and then to be sure, do an online scan at www.pandasoftware.com .

<font color=red> If you design software that is fool-proof, only a fool will want to use it. </font color=red>

 

[Ismael_Ramos]

The new motherboard is being fix or replaced by Soyo under warranty. I will have to re-flash or replace the BIOS chipset on the old one (a DFI).

The hard drives probably will need low level formating to get rid of the thing, since several times of Fdisk and formating does nothing to eliminate the virus from them.

 

[Zoron]

I still want to know what initially led you to believe you were infected by a virus. As I have said, if you enable the virus check in your BIOS, it will prompt you about ANY changes to the boot sector on the hard drive. Running FDISK and installing Windows modifies the boot sector. Which means it's going to tell you that it's modifying the boot sector. In most cases, you cannot even install Windows with the boot-sector protection enabled... it will freeze on the install.

Hopefully Soyo doesn't have a policy of charging customers if the defective part turns out to have no fault found. I'm not 100% sure you had a virus... and there is no way to be absolutely sure without doing a scan of the drive.

If you have somehow write-protected your boot sector, then that would explain the trouble you're having. I would disable the BIOS anti-virus and try again on that other board you mentioned.

<font color=red> If you design software that is fool-proof, only a fool will want to use it. </font color=red>

 

[Ismael_Ramos]

My motherboard was originally with Virus detection disabled. That was probably the reason it was infected. I tried more than six times to do a clean instalation of Windows before I decided to check the BIOS for viruses.

There is no way to install any version of Windows or even DOS in those infected hard drives. They are completely useless. Scan disk indicates hidden files on them, after being Fdisk and formated (clean, nothing installed on them). Only low level formating may save them. I am going to try that as soon as I get the motherboards fixed.