Today I got an invitation from an old supervisor friend of mine to look at a non-networked, Win95 PC in the fleet services division of the Los Angeles Department of Water and Power; the symptoms were that the CD-ROM icon had disappeared and the hard disk controllers had yellow exclaimation points in the Device Manager.

After about 30 minutes of trying unsuccessfully to reinstall the drivers and all the typical things one does to get a CDROM back from the phantom zone, I finally took the time to completely read the error message on the performance page of the System Properties sheets. And it mentioned the possibility of a boot sector virus or corrupted boot sector. Not having a virus scan disk with me, i created a startup disk from this computer, did an "fdisk /mbr"
and then transfered the system back to 'C' drive, rebooted and everything was right as rain. Until I got home...

First thing I did was to scan that boot disk and guess what?????

PC-cillin 6.0 (with latest definitions) immediately found a boot sector virus: "AntiCMOS.A*" Of course I notified DWP and they have already tracked the infection source to a vendor who was installing legitimate programs for the department. But let this be a warning -- it can happen to anyone.

I have destroyed the virus so please no one ask for copies.

Peace!

~edit: Note, this is one of only a very few stand alone PCs in the vehicle maintenence section at DWP which do not have antivirus software installed, ALL other computer systems at DWP and in the city of LA have current antivirus programs running 24/7




[This message has been edited by CMonster (edited 06-04-99).]

Good catch CMonster! A lot of folks automatically blame the hardware. I see a lot of systems where instead of a component failure, a virus was at fault. http://www.sysopt.com/forum/smile.gif

A tech question if I may:
Can this be done if your FAT32?
http://www.sysopt.com/forum/smile.gif

Normally if a CD rom does go out.. and there is ! marks in the hdd controllers.. You check for viruses.. also if you run chkdsk and the total bytes of memory is not 655360 then you have a virus.. but if you have a scsi controller then the total will differ.

Gentle Giant,

The hard disk in question was FAT32.

Jin Vitas,

How true, but until now the only time I saw CD-ROMs disappearing was when a mother board had been upgraded or a software/OS install/reinstall had gone sour. Since this episode followed right on the heels of a parts vender installing a software suite for locating Cummings diesel parts and specifications I ASSUMED that something had just gotten botched on the install. And since this was the well-funded Dept. of Water and Power I also assumed that they would be running antivirus software on ALL of their computers...so I did not think to bring along any virus checker - also unable to connect to the net from that box.

Well at least they got the latest Intel Busmaster IDE drivers out of this and became aware of the problem.

[This message has been edited by CMonster (edited 06-05-99).]

Good troubleshooting CMonster !!

Now, will I still be able to take a shower January 1, 2000? http://www.sysopt.com/forum/wink.gif

cmonster: Could you enlighten us less fortunates such as myself as to the exactly what you did when you said ""fdisk /mbr"
and then transfered the system back to 'C' drive, rebooted and everything was right as rain." Does this actually remove the MBR from the C drive? And the virus along with it?
Not sure what you mean by transfering the system back to 'C'. Is this the 'sys C:' command? I am not too sharp on some of the DOS commands.
Thanks for the great posts. Very informative.

Thanks Cmonster
As they say " A journey of a thousand steps begins with one". Well somebody must have said it! http://www.sysopt.com/forum/smile.gif

Sourjon;

there was every indication of a corrupt master boot record so I shut down and restarted the computer in MS-DOS mode, (I also had the Windows startup disk that I had created in the 'A' drive) at the 'C' prompt I did the following:

C:\>fdisk /mbr press enter

this was to refresh/reset the master boot record, to my knowledge this does not destroy any virus there and typically the virus would also be in memory anyway, and quite possibly hiding with another file somewhere. Next I transfered the system: i.e.

A:\>sys c:

when it was done I did a Ctrl-Alt-Del and restarted the computer

upon reboot into Windows everything was fine and there were no more yellow !!!in the device manager and the CD-ROM icon was back in "My Computer." But when I returned home and discovered the virus on that startup disk I realized that my friend's troubles were likely to return very soon.

Just as an update: 3 other stand-alone computers in the same shop area have been determined to be infected also.

**Socalgal,

Regarding that shower on Jan 1st 2000;

Remember my saying, "Thems' that know the least fear the most."

When have computers ever been stable, virus free, and immune from hackers?

Since the beginning and until today the electric utilities have had crashes with computers. The largest crash and burn (literally burned a whole bank of power system computers) took place back east a few years ago, power from that local utility was out for only one day.

All the utility functions that are controled by computers can be done manually and have manual backup strategies, just as they have had for many decades in the past.

The real danger is in the human monsters, riots, panic, etc. Imagine that on New Year's eve at 11:59PM a drunk hits a major power pole and there is a blackout to a heavily populated area of downtown LA? The people begin screaming, "This is it! It's Y2K!" ..and so the panic and looting and rape begins. Now all these panicked and intoxicated people begin trying to flee the city and crash into other power poles, causing the blackout to spread... more line breakers go down..more blackouts. Next, in the riots and confusion a power transfer station burns because of the Korean owned shoe store buring next to it....more people panic...Happy Y2K...

yess mame, people are the real Y2K menace!



[This message has been edited by CMonster (edited 06-05-99).]