Question

  • Creator
    Topic
  • #2264482

    Calling all virus detectives – Is it a virus ?

    Locked

    by saurabhth ·

    My computer specs are AMD K62 500 MHz ,192 MB RAM running Win 98 SE version 4.10.2222 A. I have installed latest update of Avast Home user edition 4.7 antivirus program.I use Zone Alarm as a firewall.

    I use Mozilla firefox v2.0 as my web browser

    My system has 2 hardisks. The first harddisk hosts Windows and Linux on separate partitions. The second hardidsk contains 3 Windows partitions(volume labels: Docs,Swap and Media) and 1 linux partition. In these partitions I normally store data like word documents,mp3 files.One of the partition I have assigned as windows swap.

    The system has shown the following abnormal symptoms(in chronological order):
    1. I visited 2 sites http://www.compareindia.com and downloaded a pdf from http://www.isb.edu

    2. After say a few minutes after step 1, I discovered that all my data files had been erased. There were only 2 Windows partitions left and the volume labels had been renamed to some unintelligible words.For e.g. the swap volume label was renamed as Swaq !!.

    3.The swap partition now contained an unknown folder named Recycmee containing files with names in gibberish characters. The partition contained a copy of windows swap file under some gibberish name.

    4. On launching MS Word I discover foll. problems – in first attempt MS Word seems to be stuck at the splash screen. After killing it and rebooting the system, MS word says it finds Normal.dot as corrupt and attempts recovery.

    5. On rebooting I lost all my partitions on my second hard drive. I am unable to see any of the partitions in linux as well as windows.

    6. The windows and linux partitions on the first hard drive remain untouched. This is a surprise !!

    7. The Avast antivirus program has remained silent throughout this sordid drama. This is also a surprise!!

    Please note that the only external access to the system was through internet. I did not use any sort of USB drive or CD/DVD.

    I suspect the 2 sites to be the vectors of the “virus”. Can a pdf carry a virus ?

    I need this forum’s kind help in detecting the root cause of this anomalous behaviour.

    Please help

All Answers

  • Author
    Replies
    • #2486069

      Clarifications

      by saurabhth ·

      In reply to Calling all virus detectives – Is it a virus ?

      Clarifications

    • #2486031

      Hard Drive Crash

      by gsquared ·

      In reply to Calling all virus detectives – Is it a virus ?

      It sounds to me like your hard drive crashed, either a hardware failure or the partition table on it was corrupted.

      See if you can see the drive in your disk manager. (I think that was fdisk in Windows 98, but it’s been a while. Try booting to the command prompt and firing up fdisk and select the option for viewing drive and partition data.) I don’t know how to do this in Linux, but there’s gotta be a way to do it.

      If your disk manager can’t see the disk, check what the BIOS says on boot. It should detect the drive. If not, it’s probably a hardware crash.

      If the BIOS can detect the drive, and your disk manager can see the drive but can’t detect any partitions, then the partition table got corrupted. There are tools out there that can often recover that kind of problem, but I haven’t used any of them in years, and have never used any Linux ones, so I can’t recommend one.

      If it’s a hardware failure and the disk can’t be detected by the BIOS, try connecting the disk to another computer as a slave disk and see if that machine can detect it. DON’T OPEN ANY FILES ON IT OR GO BEYOND SEEING IF THE BIOS CAN SEE THE DISK. If it is a partition-table virus, you don’t want to spread it to another computer. That’s not likely, but it must certainly be considered.

      Anything short of a serious hardware failure, you can probably recover data from the disk. I’ve done that before, but it’s been over a decade. Maybe a local computer shop can help with that.

      If the disk itself is dead, I have read about companies that can safely crack open the hard drive case and pull data off the raw disks, but I think it’s an expensive process.

      Most likely, you have a corrupted partition table. That’s the most likely to produce the results you’ve seen. It may have been from a virus, but they don’t usually go after that kind of thing these days – usually they want to install a trojan and turn your computer into a bot these days. Not malicious drive crash bugs.

      So, I suspect a random event partition failure. It happens now and again.

      • #2485999

        HD Crash Indeed

        by brooklyns finest ·

        In reply to Hard Drive Crash

        I agree, it sounds like a hard drive crash. There is this great tool called Stellar Phoenix that can be used to recover the data if need be…it works with all file systems fat, fat32 etc…

        • #2489461

          Not so innocent…

          by robertaaa22 ·

          In reply to HD Crash Indeed

          Most likely, the drive crash is coincidental, however at least one of the sites is a known phishing site.

          compareindia.com is linked to in most of the Ebay phishing scam emails that flow through my mail server.

          Given that the site participates – wittingly or not – in phishing scams, it’s not a huge leap to suspect they may have also been involved in drive by malware installs as well.

          I’ve been to the site on a quarantined machine with no ill effects, but malware in general, and drive by installs in particular, rely on the ability to exploit a known vulnerability. The number of systems visiting a drive by site that are actually infectable is pretty small.

Viewing 1 reply thread