Virus preventing boot

Make sure your CD is in the drive and turn the laptop off completely.
Turn it back on again and press whatever key combination is required to enter the BIOS setup.
Make sure the BIOS settings for boot order are to boot first from CD - in fact you can change the settings to enable boot *only* from CD.
As soon as you've made those changes save the options and reboot.
You should now be able to boot via the CD and recover your data.

i've done this before and i tried again. But still no dice. The computer doesn't seem to react to any keys on the keyboard so i can't get into any
BIOS settings or anything beyond the message above. Also is there some type of report i should make to Ubuntu about this virus?

I have not heard of a bios virus, but if your bios is really an issue you could try downloading the latest bios for your computer and flashing the bios. Given your report that the keyboard is dead you may need to plug-in an external keyboard. Sorry I could not offer any more help, but I have never heard of a bios virus.

There are no viruses which infect the BIOS, although there are a couple which change BIOS settings in order to try to force a boot from an infected drive.
If you remove the hard disk and try to boot from CD what happens?
What brand and model is the laptop?

HP Intel pentium M 1500MHz, 1.25 GB of Ram and 80 gig hard drive
I removed the hard drive hit the power button with a windows recovery disk in the drive and got this message
"You're smart but it won't work. You can't fix this computer."
I also tried the external keyboard but it was dead as well. Would it be feasible to replace the physical BIOS chip and boot that way?

Well, without having the machine in front of me I'm stumped on this - sorry.
There's no reason why the data from the hard-disk can't be recovered, but the boot problem is truly bizarre.

i figured it out but it cost me a new BIOS chip and a new harddrive. In case someone else gets this The old hard drive can be recovered as long as you use it as read only and the BIOS chip is gone, no good. Apparently both were infected and would spread the virus if not both replaced. Regretably this was a truly ingenious piece of work.

 I hope I'm posting this in the correct place - I'm a new convert courtesy of watching what this virus has done and how much more compact and faster Kubuntu/Linux is:....I have the same style virus as ordcestus described in the 7-13-2008 post, possibly even the same one with added features. It started in Windows Vista SP2 identified as W32.VIRUT.CF (has other aliases). I was an A+ certified tech (lowest certification for MS hardware, software and small networks on PCs, not large networks involving domain controllers, Enterprise controllers, policy kits, etc) but that's from almost 10 years ago when XP was just coming out and have been out of the build/repair side of PCs since then. My most current formal programming language is Fortran '66- ha! An overly verbose recount:> I was running a fully updated HP POS with Vista Home Premium 64 and PC Magazines' #1 choice anti-virus Norton Internet Security 2009, fully updated (and against my better judgment from previous experience) with an AMD Phenom II 920 (4 core @2.8GHZ) and a 1 GB GTS250 nVidia card. The virus obtained access to the system on 10-19 totally unnoticed (except for one log entry I found) and at 3:15AM on 10-25 in the midst of a heated game of STALKER (local, not internet game), I got the only notification of anything wrong: two WINDOWS DEFENDER flash screens made it through but only for a split second and all I saw was "Ulong".I stopped the game and investigated to see what was up only to slowly uncover the damage done. First I tried to run Norton on full alert for any and everything....Norton wouldn't update and when I tried to scan anyways the program was promptly shutdown with a fake error message. The easy restore feature was useless as the D:RESTORE drive had been invaded and it would seem as though the language files , i.e. EN-us, were all that was there and they are al locked. It's making changes again so I'll cut to the info I have after 5 weeks of watching it work.
>>>> It either came in through computer #3 (the protection software was 2 years out of date) of the 3 machines connected to the same router but NOT networked or it more likely came in on this machine as I was wanting to setup nVidia's CUDA technology and had downloaded SQL server, Visual Basic server, C#, C+(+) all the .NET series and others, but I left the servers wide open - easy entry. >>Once it gained access, it setup many protocols and direct pipelines to bring in the 300+ TAR files all in the stealth mode. >>When ready, it strips out all user information including passwords and sets the computer to be a network in itself where the virus takes ownership of the newly created domain and elevates itself to DOMAIN CONTROLLER (out ranking the local administrator). >>It promptly starts unzipping tar packages to protect itself and starts eliminating existing admin and any other existing user's privileges while locking out all existing user's ability to use the internet, CD drives, printer and in my case, eventually the mouse and keyboard and it writes it's changes into the registry AND the MASTER BOOT RECORD AND to a RAMDISK it creates for itself when it remaps the memory. >> It read the AMD Kernel file, and set it to run in 32 bit mode and split it into 4 virtual CPU's before it flashes the BIOS (I counted 5 .bios files). This all happened in the first second. >> It flashed the bios, the router firmware, changed the printer/scanner settings to allow itself ECM transmission/reception via telephone, it actually wiped out an old speaker phone attached to the fax, I've yet to test the MB chipset but it seems to have gotten the MEMORY CONTROLLER (it also deletes memtest.exe and puts in a fake memory tester), I don't know yet if it got into the firmware of the SCSI HDD or the two CD/DVDs, but to even further support your account that it will detect and adjust/infect anything that connects to the system, it turned on my Blue Tooth that automatically turns off when I put it in the charger that attaches to a USB port to charge, it then automatically paired with my older Nokia flip phone and accessed and adjusted the OS to try and access the internet through the Yahoo setup! I have that blocked at the phone company but it explains why the phone seemed to light up for no reason while just sitting on my desk. >>>>DO NOT use a FLASH DRIVE OR SD CARD to try to save pictures or documents as it will jump on in hidden format, use a CD and double check before you burn - it got me 2 days ago and when I went back to check, there it was called "install"; that is from a disk with Kubuntu loaded on it, from the Windows NT(4) series, 3 files would jump: ipod, cdrom & (I forgot the third file) but to a Windows user they look like directory folders when they are actually executables waiting to tear through the system. >>> It will also open and inject itself into files primarily targeting .exe, .com and .sys files but has also used a .jpg file (picture) as it's icon, so trying to save pictures is dangerous as well. >>It uses a random time generator to modify the file creation and access dates and has it's own adjustable certificates for authorization. >>>The TRASH/RECYCLE location is not the same; it has been moved, protected and everything that gets deleted is replaced sometimes within seconds or when it goes through it's scheduled checks. >>> It depends heavily on the TASK SCHEDULER (CRON SYSTEMS) to schedule package unloading and installation, system checks and I assume other things; the longer I was able to keep them uninstalled the more time I would get before the eventual wipe/reload/reinfect cycle would have to start AND in the case of Kubuntu, the more errors would be logged before the files installed to switch logging to a place that required admin (sudo) permission to reach and open. >>The virus also morphs: it learns and adapts. For example, I was using a Super Tools boot CD and doing damage and slowing it down by changing timeout parameters and files it would allow me to edit and learn Linux (What? Buy a manual?); after using it twice, it now recognizes it and will not allow it to set up a Ram Disk causing the program to abort. There's more but this is already long. I'm not familiar with laptop internals, but for desktops the BIOS is set back to defaults by removing all power, that includes the CMOS battery that holds the time and BIOS settings when there is no power to the machine and there's usually a jumper next to the battery for "Normal" and "Reset" or "Reset Password". If the bios has been flashed, it will go back the default settings of the Flashed BIOS, not the factory file and settings that were overwritten and setting a password on the BIOS doesn't even slow it down, at least in my trials. Ahhhh yes - the 300+/- tar.gz packages that eventually get downloaded? They turn into just under 1300 files that the controlling program can call up to do anything from destroy files to provide it's own library of adulterated "help" files.
I hope that's not so long I get booted on my first post, but 5 weeks of observation should provide helpful information to someone, and there's even more I've left out, so feel free to ask. Of course one that is experienced in Linux or Unix might have made short work of it and I could have parted the machine and repaired it (and may still have to), but having been an unknowing victim of Gate's theory that he would openly admit, and was a major factor of the demise of better OSs over the years - (paraphrased); 'Let them pirate and copy MS-DOS and Windows OS. it will be the only one they know when they are adults in the business world an won't have the desire or time to learn another OS'. I'm hoping to be able to make an image of the disk as there are many amazing script files that can be used for good that I hope to be able to get and extract using a junker machine. but in the meantime Linux has impressed with it versatility I have to get some resources and learn it the right way! I made Smoothwall boxes back in 2000-2001 and never had a problem; a trip to the thrift store, $17.00 USD and an old 8139 series NIC card and I'm back in business once I scrub the virus, replace the AMD kernel and reflash the bios. For right now, I need expert help on doing it in Linux or I can run dual boot with the default being one of the Linux distros.
Regards, Ron

After reading your message :) if you have Ubuntu/Kubuntu installed after
a fresh install a windows virus can't do anything to it because it a
different filesystem and also because of the user permissions.

--
Regards,
Vikram Dhillon

On Sun, 2009-12-06 at 21:46 +0000, eROCKS wrote:
> Question #38591 on Ubuntu changed:
> https://answers.launchpad.net/ubuntu/+question/38591
>
> eROCKS posted a new comment:
> I hope I'm posting this in the correct place - I'm a new convert courtesy of watching what this virus has done and how much more compact and faster Kubuntu/Linux is:....I have the same style virus as ordcestus described in the 7-13-2008 post, possibly even the same one with added features. It started in Windows Vista SP2 identified as W32.VIRUT.CF (has other aliases). I was an A+ certified tech (lowest certification for MS hardware, software and small networks on PCs, not large networks involving domain controllers, Enterprise controllers, policy kits, etc) but that's from almost 10 years ago when XP was just coming out and have been out of the build/repair side of PCs since then. My most current formal programming language is Fortran '66- ha! An overly verbose recount:> I was running a fully updated HP POS with Vista Home Premium 64 and PC Magazines' #1 choice anti-virus Norton Internet Security 2009, fully updated (and against my better judgment from previous experience) with an AMD Phenom II 920 (4 core @2.8GHZ) and a 1 GB GTS250 nVidia card. The virus obtained access to the system on 10-19 totally unnoticed (except for one log entry I found) and at 3:15AM on 10-25 in the midst of a heated game of STALKER (local, not internet game), I got the only notification of anything wrong: two WINDOWS DEFENDER flash screens made it through but only for a split second and all I saw was "Ulong".I stopped the game and investigated to see what was up only to slowly uncover the damage done. First I tried to run Norton on full alert for any and everything....Norton wouldn't update and when I tried to scan anyways the program was promptly shutdown with a fake error message. The easy restore feature was useless as the D:RESTORE drive had been invaded and it would seem as though the language files , i.e. EN-us, were all that was there and they are al locked. It's making changes again so I'll cut to the info I have after 5 weeks of watching it work.
> >>>> It either came in through computer #3 (the protection software was 2 years out of date) of the 3 machines connected to the same router but NOT networked or it more likely came in on this machine as I was wanting to setup nVidia's CUDA technology and had downloaded SQL server, Visual Basic server, C#, C+(+) all the .NET series and others, but I left the servers wide open - easy entry. >>Once it gained access, it setup many protocols and direct pipelines to bring in the 300+ TAR files all in the stealth mode. >>When ready, it strips out all user information including passwords and sets the computer to be a network in itself where the virus takes ownership of the newly created domain and elevates itself to DOMAIN CONTROLLER (out ranking the local administrator). >>It promptly starts unzipping tar packages to protect itself and starts eliminating existing admin and any other existing user's privileges while locking out all existing user's ability to use the internet, CD drives, printer and in my case, eventually the mouse and keyboard and it writes it's changes into the registry AND the MASTER BOOT RECORD AND to a RAMDISK it creates for itself when it remaps the memory. >> It read the AMD Kernel file, and set it to run in 32 bit mode and split it into 4 virtual CPU's before it flashes the BIOS (I counted 5 .bios files). This all happened in the first second. >> It flashed the bios, the router firmware, changed the printer/scanner settings to allow itself ECM transmission/reception via telephone, it actually wiped out an old speaker phone attached to the fax, I've yet to test the MB chipset but it seems to have gotten the MEMORY CONTROLLER (it also deletes memtest.exe and puts in a fake memory tester), I don't know yet if it got into the firmware of the SCSI HDD or the two CD/DVDs, but to even further support your account that it will detect and adjust/infect anything that connects to the system, it turned on my Blue Tooth that automatically turns off when I put it in the charger that attaches to a USB port to charge, it then automatically paired with my older Nokia flip phone and accessed and adjusted the OS to try and access the internet through the Yahoo setup! I have that blocked at the phone company but it explains why the phone seemed to light up for no reason while just sitting on my desk. >>>>DO NOT use a FLASH DRIVE OR SD CARD to try to save pictures or documents as it will jump on in hidden format, use a CD and double check before you burn - it got me 2 days ago and when I went back to check, there it was called "install"; that is from a disk with Kubuntu loaded on it, from the Windows NT(4) series, 3 files would jump: ipod, cdrom & (I forgot the third file) but to a Windows user they look like directory folders when they are actually executables waiting to tear through the system. >>> It will also open and inject itself into files primarily targeting .exe, .com and .sys files but has also used a .jpg file (picture) as it's icon, so trying to save pictures is dangerous as well. >>It uses a random time generator to modify the file creation and access dates and has it's own adjustable certificates for authorization. >>>The TRASH/RECYCLE location is not the same; it has been moved, protected and everything that gets deleted is replaced sometimes within seconds or when it goes through it's scheduled checks. >>> It depends heavily on the TASK SCHEDULER (CRON SYSTEMS) to schedule package unloading and installation, system checks and I assume other things; the longer I was able to keep them uninstalled the more time I would get before the eventual wipe/reload/reinfect cycle would have to start AND in the case of Kubuntu, the more errors would be logged before the files installed to switch logging to a place that required admin (sudo) permission to reach and open. >>The virus also morphs: it learns and adapts. For example, I was using a Super Tools boot CD and doing damage and slowing it down by changing timeout parameters and files it would allow me to edit and learn Linux (What? Buy a manual?); after using it twice, it now recognizes it and will not allow it to set up a Ram Disk causing the program to abort. There's more but this is already long. I'm not familiar with laptop internals, but for desktops the BIOS is set back to defaults by removing all power, that includes the CMOS battery that holds the time and BIOS settings when there is no power to the machine and there's usually a jumper next to the battery for "Normal" and "Reset" or "Reset Password". If the bios has been flashed, it will go back the default settings of the Flashed BIOS, not the factory file and settings that were overwritten and setting a password on the BIOS doesn't even slow it down, at least in my trials. Ahhhh yes - the 300+/- tar.gz packages that eventually get downloaded? They turn into just under 1300 files that the controlling program can call up to do anything from destroy files to provide it's own library of adulterated "help" files.
> I hope that's not so long I get booted on my first post, but 5 weeks of observation should provide helpful information to someone, and there's even more I've left out, so feel free to ask. Of course one that is experienced in Linux or Unix might have made short work of it and I could have parted the machine and repaired it (and may still have to), but having been an unknowing victim of Gate's theory that he would openly admit, and was a major factor of the demise of better OSs over the years - (paraphrased); 'Let them pirate and copy MS-DOS and Windows OS. it will be the only one they know when they are adults in the business world an won't have the desire or time to learn another OS'. I'm hoping to be able to make an image of the disk as there are many amazing script files that can be used for good that I hope to be able to get and extract using a junker machine. but in the meantime Linux has impressed with it versatility I have to get some resources and learn it the right way! I made Smoothwall boxes back in 2000-2001 and never had a problem; a trip to the thrift store, $17.00 USD and an old 8139 series NIC card and I'm back in business once I scrub the virus, replace the AMD kernel and reflash the bios. For right now, I need expert help on doing it in Linux or I can run dual boot with the default being one of the Linux distros.
> Regards, Ron
>

Hi Vikram and thanks for responding so quickly....and now I see where my day went - apologies for writing a novel there. I see your point, but I didn't lay out the actual order properly and failed to mention the EEEBuntu disk. The Vista SP2 installation was handled in the exact same manner as the later installation of Kubuntu with Python being prominent in both. I mentioned that it cut me off from being able to print, burn a cd or connect to the internet along with a large list of restrictions. After a few days it was obvious I wasn't going to be able to recover, save anything or get any part of the virus saved to an SD or CD. This is when I used the restore disk with the format and new partitions options. About 2 days passed and despite my watching the LAN connection for changes, it was able to establish a pipeline and the process started over and that's we realized the bios had been flashed and the MBR wasn't part of the format. My friend suggested I boot from the EEEBuntu disk which I finally did, but I couldn't keep up with it setting policy and the environment on three cores when I wasn't even familiar with env variables, policy kits, shells, aliases and so on, so Vista (NT4) kept on slipping and since I had to mount the HDD to make futile changes as I didn't even know a single Linux command. The virus was in fact able to set parameters in the BIOS that would activate if it sensed that disk in the drive, the line ends with "casper-seed". I leave the CMOS battery out now so I can just pull the plug and the bios will reset after a few minutes and it gives more time before the additional boot command is added back in. I finally loaded Kubuntu 9.10 on to the HDD and things were well for a few days (until it got enough packages d/l'd) and then the power takeover started assisted by pamunix as well as the familiar restructuring of the CPU kernel and remapping of the RAM. When it gets bad, like today I lost sound and see in the logs that a new bios was added. Here is a sample from the sys.log of my using the EEEbuntu disk while the virus is working on the final touches of having transformed Kubuntu 9.10 into x-Org with Gnome:
xserver-xorg postinst warning: overwriting possibly-customised configuration
   file; backup in /etc/X11/xorg.conf.20090507000406
sh: .: line 1: can't open /usr/share/debconf/confmodule
ln: /usr/sbin/anacron: No such file or directory
Using CD-ROM mount point /cdrom/
Identifying.. [0179c94c21978f1fbc65c2c180b8eb0d-2]
Scanning disc for index files..
Found 2 package indexes, 0 source indexes, 0 translation indexes and 1 signatures
Found label 'Ubuntu 9.04 _Jaunty Jackalope_ - Release i386 (20090420.1)'
This disc is called:
'Ubuntu 9.04 _Jaunty Jackalope_ - Release i386 (20090420.1)'
Copying package lists...gpgv: Signature made Mon Apr 20 14:30:13 2009 UTC using DSA key ID FBB75451
gpgv: Good signature from "Ubuntu CD Image Automatic Signing Key <email address hidden>"

Reading Package Indexes... 0%

Reading Package Indexes... 2%

Reading Package Indexes... Done

Writing new source list
Source list entries for this disc are:
deb cdrom:[Ubuntu 9.04 _Jaunty Jackalope_ - Release i386 (20090420.1)]/ jaunty main restricted
Repeat this process for the rest of the CDs in your set.
W: Skipping non-exisiting file /cdrom/dists/jaunty/main/binary-i386/Packages
W: Skipping non-exisiting file /cdrom/dists/jaunty/restricted/binary-i386/Packages
 Removing any system startup links for /etc/init.d/apparmor ...
   /etc/rcS.d/S37apparmor
(Reading database ... 98858 files and directories currently installed.)
Removing gdm-guest-session ...
Purging configuration files for gdm-guest-session ...
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
And here is what was loaded or happened when the streaming music quit:
udo dmidecode --type bios
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
I found an older "How to" on flashing the bios and hoped maybe there was a newer version available as I have the .exe type that has to be run in a windows setting, not the .img style.
The main thing I need now is a script or the commands to wipe the drive totally including the MBR, then I can flash the bios and update the chipset and the AMD original kernel. I'll probably be moving this to a new question status and just leave out all of the history: "I loaded Kubuntu9.10 and is being corrupted and transformed into x-org/gnome by a corrupted virus and boot sector" - something like that. I do have many of the logs for the recent install if you would like to see them.
Ron

Alright so if you put in the Ubuntu Live CD, then let it boot up and go
to the installer, you should choose erase all or something similar as an
option while going through partitioner and that will wipe out the entire
drive and start over :)

--
Regards,
Vikram Dhillon

On Mon, 2009-12-07 at 03:27 +0000, eROCKS wrote:
> corrupted

Hi Vikram - sorry for the delay in responding. That's the same idea I had but it's an expert in protecting itself. In speaking with an "old timer" I've learned that the virus copies itself into the "Super Block" on the hdd and then replicates 100 times. I've tried the reinstall with Vista and new install with EEEbuntu, Kubuntu and Ubuntu all with a full format start In all cases the virus has been missed as according to the explanation given to me, the Super Block contains all system information and is skipped over during the format. Another problem is that with the quad core acting as 4 separate processors where it uses 3 of them to run an army of programs for self-protection, continued invasion and spreading to anything it can get to and taking control. I stumbled upon the firmware cache but the titles made it difficult to match to the device. The computer has been ready in a steady state since late on 12/19 to current with the EEEbuntu live disk in and 1 memory stick in with the hdd unplugged and CMOS battery out. I'm learning commands and how to get around, but not enough yet to tackle this beast. I have 2 more crashes listed now on Bug #497313 and Bug #499600 demonstrating where I get body slammed doing something and inotify(7)/watchdog programs catch it. Now it just seems to be using my hacked router as a bounce point.
Thanks Again for the idea; one of these ideas will work, and when we (we=Linux Community) get the answer(s), they can be packaged to stomp the controlling file, flash the bios back to the proper settings, identify infected and adulterated devices, repair or delete as required, reload the proper firmware and kernels, install a proper policy kit, use the virus' own scripts to protect the files and configuration to ultimately hand ownership back over to the real owner. that is the Ubuntu way! Easier said than done I'm sure, but it will be done. Peace, Ron.
Also, a tip from the old timer was that older machines are going to come in handy as they have ROM and PROM chips that can't be flashed or adulterated - usually only$10-$30 at the thrift store; add a 2nd nic card and they make a great mole wall, smoothwall, ect!

What's the name of this supposed virus? I worked for a good number of years as a developer in the AV industry and am not aware of anything as capable as that which you describe.