| Author |
Home Computer Completely Stuffed (to use a polite term) |
Anonymous
User not Registered |  Posted 21-04-2004 at 10:58
We are having grounds to believe our computer is completely stuffed.
If so, it may be some time before we get sorted and back online again.
If you think you can offer some good helpful techie advice, please add some comments below. (A full run down of problems to follow within a couple hours of this post).
Thanks
Tim
[ This message was edited by: TimPrevett on 2004-04-22 07:29 ]
 Reply
|
Anonymous
User not Registered |  Posted 21-04-2004 at 11:18
Details of the problems:
Since Tues morning, we have had no e-mail access from Virgin
We have two dial up nos
1470,,08089933070 (VNET070)
1470,,08089909030 (VNET030)
both usually handling data at 45 - 50 KBPS
While net browsing access could be achieved, no e-mail is incoming.
Since then
VNET070 would dial up with speed of 115 KBPS
VNET030 would dial up with speed between 14 and 46 KBPS
Having in the meantine checked with virgin customer services announcements
0800 052 4329
we know virgin have extensive problems with their mail servers
This morning (Weds) I dialled up on the VNET070 number.
I was browsing the Portal, looking at a private message
within 2 minutes our PCCillin software alerted
us of a firewall breach.
These details
Time:7:40am 21 Apr 2004
Source: 81.103.217.35
Attack Type: NetBIOSBrowsing
Bytes Sent: 376,697
Bytes Received" 1,965,944
Then 2 minutes later a virus warning flagged up
(no e-mai viruses, as no e-mail for 24hrs +)
Location:\\WINDOWS\system32\systemfile
File name: TROJ_ACIDREIN.20
When trying to exit browser, it kept trying to redirect me to
www.turkcode.com/download/counter.php
even though we have never tried to access that page or even knew of its existence.
Having felt assured that the thing was contained, I restarted computer.
(Probably bad move now - I assume... )
During restart usual menus and screens were jumped passed , and very early on
I got this message
Searching for BOOT record from CDROM... Not Found
Insert BOOT diskette in A
and we can get no further 
Virgin customer services have not given us the help we would have liked
and I will need to get back to them tonight, circumstances permitting
Now, does this sound pear-shaped to you? and what can we do?
Feeling resigned to the probably inevitable
Tim
[ This message was edited by: TimPrevett on 2004-04-22 07:31 ]
Reply
|
ocifant
Joined:
13-10-2002
Messages: 186
from London
 OFF-Line
| Posted 21-04-2004 at 12:05
Tim,
Not having dial-up or PC-CILLIN (I use Grisoft AVG), I can't help on that front.
A search for ACIDREIN doesn't bring up anything useful, so it's either a brand new virus/trojan, or isn't normally known by that name.
I'll see if I can find anything else out about it, but howup-to-date is your virus scanner?
If you go into the BIOS (Esc or F1 on Boot-up usually does it), you might find that your hard drive has disappeared as a boot device,in which case re-rentering the parameters for the hard drive might get you over the boot problem..
Good luck. If I find anything else out, I'll let you know.
AlaN >S
 Profile
Reply
|
ocifant
Joined:
13-10-2002
Messages: 186
from London
OFF-Line
| Posted 21-04-2004 at 12:22
Tim,
The only reference I've found to an Acid Trojan is .
It's a fairly old DOS based trojan that wipes out a lot of the command files in Windows. That would certainly give the symptom of not being ableto boot from your hard disk!
Might be worth taking a quick look at the link above tosee if you have any of the other symptoms. have you got an old DOS Boot disk hanging about anywhere you could use?
Profile
Reply
|
Anonymous
User not Registered | Posted 21-04-2004 at 13:58
Looks like it - though I suspect it could be a revised new version of the old one.
Will look properly from my own work comp later - on someone else's here.
No idea about Boot up files - my bro created this comp & software from his specs - so might have to wait until it's suitable to talk to him.
I can post again sometime just after 4pm; working on some contingency plans.
cheers
Tim
Reply
|
ocifant
Joined:
13-10-2002
Messages: 186
from London
OFF-Line
| Posted 21-04-2004 at 15:21
If that's what it is, the removal instructions on the page I indicated (and the link I screwed up shouldstill work) state that you should re-install the Operating System and all Application Software
There are additional considerations for XP and W2K machines listed there too.
I'm amazed that it got through though, it's a 1996 virus! I'd double check the symptoms listed before taking such drastic action (and I'd make sure you have an up-to-date virus trapper in future).
Sorry to be the bearer of (potentially) bad news.
Profile
Reply
|
Anonymous
User not Registered | Posted 21-04-2004 at 15:37
things is, I can't even check to the symptoms now, if I can't even get past the disk boot up.
If it is a complete restart, then, I think we'll go broadband, with full archiving practice, and very good firewall software in place.
"I don't believe it!"
Will mail virgin from their website, and see what else can be done, and have a poke around when I get home tonight.
Thanks, Alun
Tim
Reply
|
Anonymous
User not Registered | Posted 21-04-2004 at 15:42
MM
Just got your message... Could you get the computer base unit over to me in Chester?
I've got a couple of computers I have to finish repairing. Then I could cue jump to yours.
The trojan is fairly strait forward to remove but the computer operating system will have to be re built or replaced. You will also probably have to reload your data files from backup... Do you have backups?
Acid Rain (alias QSD12) is a file deletion Trojan that unfortunatly when run, deletes system files, renames folders, and creates ton's of empty folders. Its been around since the late 90's.
But basicaly your computer is not dead and can be revived 8#)
BB Dave the Flute
Reply
|
Anonymous
User not Registered | Posted 21-04-2004 at 20:06
Looking optimistic... but it ain't over 'til it's over
bro not available, so doing this off 'own back' as it were.
Restored hard drive parameters - managed to get online.
Currently downloading AVG from Grisoft, and seeing about getting the thing off our system. At the moment, everything is there - and may it stay so.
we have been sufficiently scared here to sort out better protection and look into archiving material... once the immediate challenge is sorted.
thanks
Tim
Reply
|
Andy B
Joined:
13-02-2001
Messages: 7001
from Surrey, UK
OFF-Line
|  Posted 21-04-2004 at 21:41
Hard luck Tim, I sympathise with losing stuff, especially due to my recent hard disk episode.
It looks like some sod got you with a trojan:
http://www.computer-forums.co.uk/forum/viewtopic.php?t=7538&view=next
"NETBIOS browsing means they are looking for network shares. People actually turn on file and printer sharing and run without a firewall! You can map their drive to your computer and access it just like it was local to your machine."
Your firewall should have blocked this, unless you've allowed Windows network sharing on your dialup connection (easily done I think).
Your firewall should block all incoming UDP traffic with a source port 137 and 138
From what I've heard, there are some nasty new virii on the loose, based on recently announced Windows exploits - check out the patches here:
http://www.microsoft.com/security/security_bulletins/200404_windows.asp
Andy
Profile
 Email
Reply
|
Anonymous
User not Registered | Posted 22-04-2004 at 07:35
Well, we're still here 
Nothing seems lost.
1 Puzzling thing
We downloaded AVG from Grisoft; after a thorough scan that took 82 minutes, it did not detect a virus.
Even though we had the message from PCcillin, and the subsequent knocking out of our Boot Up.
Could it be so new that places do not even have it listed yet?
Cheers
Tim
Reply
|
Anonymous
User not Registered | Posted 22-04-2004 at 11:15
MM
Probably because a trojan is not a virus! Its a downloaded program that can be run remotely from another computer. A virus will run of its own accord. Bit academic when the result is the same!"£$%^&. But not all AV soft-ware detects Trojans.
Also stealth or cloaking virus/Trojan's can hide from some anti-virus software. Its rather a case of you get what you pay for ,except in the case of Grisoft which I have been told is quite good. 8#)
Best of luck
BB Dave the Flute
Reply
|
Andy B
Joined:
13-02-2001
Messages: 7001
from Surrey, UK
OFF-Line
| Posted 22-04-2004 at 11:56
Tim,
I'm glad it was just the boot sector, you're (relatively) lucky.
In my investigation last night, people recommened The Cleaner by http://www.moosoft.com to check and remove Trojans.
But your firewall should have stopped it in the first place as I said above.
It's a new one on me.
Andy
Profile
Email
Reply
|
Robc
Joined:
04-01-2003
Messages: 12
from Porthcawl, South Wales
OFF-Line
| Posted 25-04-2004 at 18:57
H Tim
Try the following link for more info on your virus.
http://vil.nai.com/vil/content/v_99502.htm. Its part of the Macafee virus database. It looks like you might have to reinstall your operating system. But follow the link and check the detail.
Good luck
Rob
Profile
Reply
|
Anonymous
User not Registered | Posted 25-04-2004 at 21:03
Thanks, Rob.
Still no e-mail from virgin - though we got onto o Customer services today, and someone told us how we can check e-mail from the web.
We'll be changing ISPs soon; have signed up with another, so I'll be mailing out accordingly once things are set up. A lot more net security with this package, too.
Cheers
Tim
Reply
|
ocifant
Joined:
13-10-2002
Messages: 186
from London
OFF-Line
| Posted 26-04-2004 at 19:45
I should listen to my own advice! It looks as if I have an infection on one of my home machines. I'm disinfecting now, and it's not even a machine I use to broiwse the web much! It's my main email machine, and I delete *all* spam off the server so it never reaches my machine, so I'm stunned that I've been hit.
It just goes to show that no matter how much care you take, it's still possible to get infected
Profile
Reply
|
Main News