Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

InitDiskno Resident in BIOS, part of (?) Paradox OEM BIOS Emulation Toolkit


  • Please log in to reply
5 replies to this topic

#1 bobkatt

bobkatt

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:32 PM

Posted 22 February 2011 - 07:10 PM

I had 2 old computers at home, but the only one working now is this old Pentium III (600) from my father.

I was switching pieces around to use an Intel D945GTP motherboard because it worked so well compared to what I had. I had already backed my data up to DVDs from one old machine in order to install Ubuntu on that drive as part of the Intel machine. The hard drive had been working for approximately 2 years in the old machine. I zeroised (WD Diagnostics 5.04f) the Western Digital drive (60GB) and set up the hardware to install the machine.

As soon as power went to the Intel machine, the boot paused, and my zeroised HD installed "InitDiskno" into the BIOS of the Intel machine (though I didn't know that at the time). I just found it strange that instead of my Ubuntu install CD booting (I had used it before and knew it worked well), that the blank hard drive did (sort-of, no screen display).

I had another Ubuntu CD and a bootable thumb drive, but the machine reported that there were no bootable drives present. The machine actually hung when I tried the bootable USB.

After setting up my Father's machine with Ubuntu and establishing a connection using an Hauwei E160x USB 3G modem, I downloaded BIOS update for the machine. The Intel has a nice Recovery mode for the BIOS, just set the jumpers right, put the floppy with a copy of the BIOS bin on it into the machine and away it goes.

(Ever try and buy a box of floppies now days, I eventually found some)

It went through the actions, appeared to work. and then repeated the above procedure to install Ubuntu, with the same results as above.

I downloaded another method from Intel to boot off the floppy and run a program to install the BIOS update. The floppy was based on a FreeDOS boot and on the third try I noticed that it was saying that "InitDiskno" had created a RAM drive and that it was going to use that for the BIOS update.

I am persistent and the above has consumed my last two weeks. I have gone to Intel and had a chat with their support staff (Despite the motherboard being non-supported through age). No Luck on something that would remove or blank that part of the BIOS.

The BIOS is hard mounted so I cannot replace it.

So I am now trying to identify "InitDiskno" which Web Searches led me to "Paradox OEM BIOS Emulation Toolkit" (www.mydigitallife.info) as my only clue, even though there is no mention on the page of "InitDiskno", nor have I ever even been on a machine running Vista much less installing an illegal copy.

I thought I had bought this drive, but maybe it was some junk one of my friends through out?

My present position is now;

1. Seeking your assistance
2. Looking for some software that really zeroises a hard drive
3. Looking for some software that can remove the virulent "InitDiskno" from my BIOS.

I've already given up trying to find a virus scanner that works.


bobkatt Feb 23,2011

Edited by elise025, 23 February 2011 - 08:28 AM.
Moved from Malware Removal forum to Internal Hardware ~Elise


BC AdBot (Login to Remove)

 


#2 MrBruce1959

MrBruce1959

    My cat Oreo


  • BC Advisor
  • 6,377 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Norwich, Connecticut. in the USA
  • Local time:12:32 AM

Posted 23 February 2011 - 12:03 PM

Hello and welcome to Bleepingcomputer.

Sorry to hear about your misfortunes.

As for hard drive wiping utilities dban is one of the most widely used programs out there, although there are others which can be found by simply using a search engine and the key words disk wipe.

As for dban here is the link, proceed to the download tab and download the program.

http://www.dban.org/

As for your BIOS, can you enter the BIOS utility at all?

The initDiskno is shorthand for initialize disk no hard drives detected

I am not 100% sure why at this point, this is showing up. However, what might answer some questions here is what would happen if you removed this 60 GB hard drive from the computer and attempt to boot up the computer again?

You should get a warning from the BIOS that there is no bootable devices installed.

The next question would be do you have the hard drive configured properly in both the BIOS utility and the drives jumper settings?

I will watch for your reply.

Bruce.

Edited by MrBruce1959, 23 February 2011 - 12:31 PM.

Welcome to Bleeping Computer! :welcome:
New Members: Please click here for the Bleeping Computer Forum Board Rules
 
My Career Involves 37 Years as an Electronics Repair Technician, to Which I am Currently Retired From.

I Am Currently Using Windows 10 Home Edition.

As a Volunteer Staff Member of Bleeping Computer, the Help That I Proudly Provide Here To Our BC Forum Board Membership is Free of Charge. :wink:

#3 bobkatt

bobkatt
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:32 PM

Posted 24 February 2011 - 11:56 PM

Dear elise025,

Can you please give me some reasons on why an infected hard drive, infects a machine's BIOS should be moved from Virus, Trojan, Spyware, and Malware Removal Logs to the unrelated Internal Hardware forum. It is clearly a virus that makes the machine (and hard drive inoperable).

bobkatt

#4 bobkatt

bobkatt
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:32 PM

Posted 25 February 2011 - 12:20 AM

Thank you MrBruce1959 for your welcome to Bleeping Computers ( and I like the cat picture as well).

Thanks for the suggestion on using DBAN, I in fact gave it a try and the Hard Drive remains infected. I have also tried HDDerase (Fails) and HDAT2 (with marginally more success).

I got as far as replying to your welcome 2 days ago when my father's old machine was suddenly inoperable, with now the same virus showing in it.

I now have no choice but to go use machines at my friends places when I can get some money together for petrol.

I haven't been able to alter tthe BIOS update diskettes as yet, since I do not have a functioning PC, but will be trying when I can.

I agree to your statement with one correction/ehancement "The initDiskno is shorthand for initialize disk no IDE/SATA/USB drives detected".

I have no problems in setting up the BIOS and hard drive pins, except for their current disobedience!

I used the trick of removing the Hard drive & CD reader to be able to finish the update of the BIOS to version 4131 (the machine requires a reset to an older BIOS version before upgrading to the latest version).

Possible my mistake was physically installed the 60GB hard drive before finishing the two step BIOS update.

I'll keep you posted, especially on the censorship I'm suffering with everytime I make a posting.

Thanks for your interest Bruce.

#5 MrBruce1959

MrBruce1959

    My cat Oreo


  • BC Advisor
  • 6,377 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Norwich, Connecticut. in the USA
  • Local time:12:32 AM

Posted 25 February 2011 - 02:15 AM

Thanks for keeping me updated on the progress and sorry to hear you have two machines infected at the same time.

You need not feel alone in this situation, as much as you would feel I have never had malware or infections on my systems, I have to admit I've been snagged a few times myself.

I spend a lot of time doing Google searches for information, specially looking up information to help others here on BC.

I have downloaded and installed software and tried it before offering it to other members here.

Every now and then, I get a bad egg or problems caused by a bogus web site I went to.

I have Spybot S&D, MalwareBytes, MSSE, Norman Malware remover and Super Anti-Spyware installed, the windows firewall on and I still get snagged every now and then by a file on my hard drive.

It happens to all of us eventually, it's sadly a part of life now.

Take care and keep me posted.

Bruce.
Welcome to Bleeping Computer! :welcome:
New Members: Please click here for the Bleeping Computer Forum Board Rules
 
My Career Involves 37 Years as an Electronics Repair Technician, to Which I am Currently Retired From.

I Am Currently Using Windows 10 Home Edition.

As a Volunteer Staff Member of Bleeping Computer, the Help That I Proudly Provide Here To Our BC Forum Board Membership is Free of Charge. :wink:

#6 bobkatt

bobkatt
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:32 PM

Posted 26 February 2011 - 01:57 PM

Following on from my comments above, firstly on censorship. I started entering
my comments to Elise25 and MrBruce 1959 within 12 hours of their posting.
As I neared the end of what I was writing, the page was closed. So I started
again from memory of what I had just written. The machine I was using lost
connection with the internet and several attempts to re-connect failed.

I followed this with a re-boot to find I was now infected with a virus and I
quickly shut down the machine. I used what software I had off-line to look at
the hard drive which I had zeroised prior to its install into my father's
machine.

I am used to finding several BAD SECTORS when I get infected, and the kind that
makes HDDErase fail on a Security Clean. They seem to have a security level much
higher than maximum, and can't be accessed. They weren't there before.

It was then I noticed that the Smartdrive had warnings and looked at the data
recorded for Smartdrive analysis. I remebered when I wiped it before using it,
that it had run for some 23912 hours, approximately 3 years. There were some
errors in the totals, but nothing large or critical.

But upon this inspection it seemed that my drive had become critical in the
following areas:

Re-allocted Sector Count (100)
Relocation Event Count (87)
Off-line Uncorrectable Sector Count (87)
Ultra DMA CRC Error Rate (100)
Soft Read Error Rate (100)

And most importantly it had now run for 2,846,062 hours (328 Years
approximately), which isn't bad for for a drive built in Nov, 2003!

This is from an attack accross the web, and an easy way of destroying someone's
hard drive! Its sneaky, since there was nothing damaged in the drive, but the
failure of the drive will happen some time later and not at the time of the
attack.

Rather than put yet another Hard drive into the pile of failed hard drives, I
am now looking for software that can


___________________reset the Smartdrive recorded data.


At this point I don't have an operating machine out of three.


When I went to use a public computer (paying a few of the endless collection of
bills) I thought I would enter my comments to Elise25 and MrBruce1959. I got the
first one to Elise25 done and was answering MrBruce1959 when the system told me
to stop what I was doing (can't remember the exact words). The page froze but
otherwise everthing was working so I opened another TAB and quickly typed in my
first reply to MrBruce1959 (short version).

My father's machine now has an altered BIOS as well as the Hard Drive
infection and some of the things I have run warn me of a "dummy BIOS"
being present.

I don't know yet whether I have a beacon installed to alert whoever it is, to
where I am, or they are simply tracking my IP when I go on the web. Or maybe
they pick me up when I try to add comment at www.bleepingcomputer.com.


______________________________________________________________
The above was notes were from two days ago and should have appeared before my
first note to MrBruce1959
______________________________________________________________

Since the notes (immmediately above) I have made two more attempts to update the
Intel BIOS while I was off-line. While neither attempt eliminated "InitDiskno",
I noticed that the machine was finally recognising the Hard Drive and the CD
reader, which would allow me to install.

Install I did, and without a problem.

I ran the machine for a couple of hours to see if there was anything to indicate
that I was infected again. Nothing happened except what I expected to happen. I
even played 17 games of Freecell, before I dared to go on the web. I even had
made a list of the things I needed to download before I went on the web.

I downloaded Internet Explorer 8, InfraRecorder, Outpost Security Suite Free 7.1
(the best I could find, but it doesn't detect the virus either, just its actions)
and just started to download Ubuntu (which can run off a CD).

As I clicked the Ubuntu screen to download an ISO, I recieved a message that the
page (that I was actually viewing at the time) was not available, and Internet
Explorer 6 then proceeded to wipe the page I was looking at and put up the
traditional 403 page (web site not found/available).

End of my day again.

Studying the hard drive agfterwards, I found no "Magic Bad Sectors" (yet), but the
data table for Smartdrive had 100 against every table entry except:

Spin-up Time (142)
Power-on Hours Count (99) for 9,258 hours (About right?)
HDA Temperature (127) for 109 degrees F
Ultra DMA CRC Error Rate (200)


Eight hard drive stuffed for this bleep to have his fun!!


_________Again need some means to reset or alter the Smartdrive data to realism.




Summary of Symptons
-------------------

Before the attack, no BIOS infection, then things work fine.

1. The first thing to notice that you have an infection, even if it is only the
BIOS, is that the mouse will jump around the screen. (Hence playing a mouse
dependent game like freecell is a good test, even offline). More prevelent as
the infection grows.

2. It likes to replace audio drivers in memory, (especially if its a C-Media).
Hence no sound. I think it may also try the boot CMOS in LAN card and USB Host
software drivers.

3. I was originally concerned that the modem I used was infected, being a Huawei
3G USB Modem (it attaches to the machine as a USB CD-ROM). But the attack on
the public computer, leads me to doubt that, though they could be using all 4
methods proposed so far.

4. Now that I realise that these attacks are external, I must say that "InitDiskno"
appearence must have been more defence aginst a BIOS attack rather than part of
the virus. Unless of course, if it is acting as the beacon.

5. It takes a couple of boots after the attack to bring the infection up to full
strength as an internal infection(s).

6. I have not found a virus scanner that will detect the virus. Ad-aware v8.3
used to stop several attacks from the same source and list the IP. Unfortunatly
I didn't write it down. The newer version 9 does not.

7. For virus scanning, Agnitum's Outpost Security Suite Free 7.1 is the best that
I have found. Like all the others it does not find the infection, but it does
detect some of it's action in modifying executables from modules in memory.

8. The virus is very good at taking down Microsofts Firewall. Note that Agnitum's
comes with a good firewall of its own.

9. Normal downloads fail if they are large (124MB for Ad-Aware always fail). If
you are installing multiple machines (my 3 soon I hope) and want SP3 for XP
update as one file (324MB), it fails.

10.Downloading by utorrent succeeds quite well for a while, I suppose the sheer
volume of data transfer makes it hard for an attack. I have had it go as long
as two hours before an attack got through.

11.If a torrent file exists for your desired file (for ubuntu it does), use it in
preference to a direct download. You can usually get it down. If it is an ISO
file, you will seldom get a good burn when you are infected (see more below).

12.The virus will infect or blank BIOS's. If the BIOS is not a plug-in, goodbye
machine.

13.When making normal changes to your BIOS (after entering setup by using the
DEL key or F1 or F2 or ALT-CRTL-ESC) the virus will sometimes hang the
machine.

14.After making changes to your BIOS to change the boot order of floppies, CDs,
Hard drives, LAN cards, the virus can either change your settings so that it
boots first, or from the moment of your hard drive being sensed by the machine,
take over your machine and boots first, irregardless of your settings. This
means that it also infects the MBR (Master Boot Record) of a hard drive.

15.If you try and save your data, you will find that you have an incredible
amount of faulty floppy diskettes. Just from switching to a clean machine I
only threw out 7 of the 40 diskettes deemed faulty by the infected machine.

16.If you try to burn a data CD/DVD to save your data, it also seldom work's.
(eg your hard drive runs out of disk space, or file is corrupt, or this
directory does not meet Windows naming standards, this directory has seven
parent directories, etc)

17.If try to burn video DVD's (even your own legal stuff) there are corrupt
spots that stops the video player and even hangs the video player. (I was
transferring VHS tapes of my parents before their death. Gone is the machine,
the converted & editted AVIs and the DVDs are stuffed. Now looking for the
VHS tapes I haven't thrown out.)

18.If you try and burn an ISO onto a CD/DVD you can find errors internally to
the ISO. I once burnt 4 copies of Ubuntu from the one execution: two had
missing files, two appeared to install the virus.

19.Add a second hard drive to an infected machine, it is infected.

20.Add an external hard drive to and infected machine, it is infected.

21.Add an infected hard drive to a clean machine, The clean machine is infected.

22.Add a bootable USB drive, it generally gets infected (Ubuntu install), but
don't know yet if it infects non-bootable. I certainly blame the virus for
the lost of two 16GB USBs and one 8GB, that have come up either not readable
or simply ceased to function.

23.Small, quick, simple burners of ISOs (like infraRecorder, there are other
good ones but I have lost them) are the best. Time is short if your machine
haven't been infected yet.

24.Your time and date are occasionally reset.

25.The good thing about the latest Ubuntu (there are lots of good things, but in
this context the is one above that is very important) it runs from a CD. An
already burnt CD can't be infected. You can't save any data, except onto and
infected drive but you can communicate and call for help.

The ISP's (Internet Services Providers) with 3G USB Modems offer NO help in
getting the modem to work for LINUX which makes it quite hard to establish
much less memorise so you can quickly setup.

26.Some ISP's sheild their customers from this attack,notably Australia's Telstra,
but not Optus, Dodo or Eon Net.

27.Several other virus seem to find the breach into your machine and join in.
That of course means that all of the above may not be just the one virus.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users