Blue Smiley Virus?

Discussion in 'malware problems & news' started by JHaWz, Apr 2, 2003.

Thread Status:
Not open for further replies.
  1. JHaWz

    JHaWz Registered Member

    Joined:
    Apr 2, 2003
    Posts:
    11
    Hi,

    When I boot my computer up it says "Verifying DMI Pool Data..." (as normal) but then a blue smiley appears after the "..." And it woun't boot up any OS. Still after I several times have formated the HD and deleted the MBR. Anyone heard of that virus an/or how to remove it?

    I,m new to this forum, but it sure looks great!

    JHaWz
     
  2. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    Are you running any AntiVirus?

    It could be Pombero. This virus is old and it works under DOS.

    Try run F-prot for DOS (which is free).

    http://www.f-prot.com



    Technodrome
     
  3. JimIT

    JimIT Registered Member

    Joined:
    Jan 22, 2003
    Posts:
    1,035
    Location:
    Denton, Texas
    Don't know what OS you're using, but make sure you're booting from a *known* clean boot disk. :D

    Since the hd is already wiped, fdisk /mbr, fdisk, and format should kill the bug if your boot media is clean.

    Might also try reseating the memory sticks.
     
  4. JHaWz

    JHaWz Registered Member

    Joined:
    Apr 2, 2003
    Posts:
    11
    I've tried several OS Windows and linux. I have tried searching for the virus several times with several AV's, nut no virus found. The only thing I could think of would remove the virus is maybe a low level format. But if there are any other solutions, I would have prefered not to take a low level format.

    have also tried to reset the memory stick.

    How can a virus survive a format? Copy itself to the memory and then copy itself back to the hd? I red an article wich sayed that was possible, is it?

    Anyway, thanks for the help, if you know any other ways to remove it, please tell ;)
     
  5. swift

    swift Guest

    What antiviruses did you use in specific? Did you ran a dedicated antitrojan as well?

    Anyway, as for worms/viruses, there could be several options: "smiley" and variants amongst others.
     
  6. JHaWz

    JHaWz Registered Member

    Joined:
    Apr 2, 2003
    Posts:
    11
    Tried F-Secure and NAV.
    Havn't tried a dedicated antitrojan. One you could recommend?
     
  7. meneer

    meneer Registered Member

    Joined:
    Nov 27, 2002
    Posts:
    1,132
    Location:
    The Netherlands
    Don't know if this is usefull (do they exist or not: cmos / bios virusses): resetting the cmos/bios (jumper setting and or taking out the battery) ?
     
  8. JHaWz

    JHaWz Registered Member

    Joined:
    Apr 2, 2003
    Posts:
    11
    Yes they exist. But this is a MBR virus (at least one that is stored on the HD). But thanks.
     
  9. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi, sad story............ are you sure it can't be in any of the software you're trying to re-install after format? Did you scan all those before and after installing?
     
  10. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    Try NOD32. It has a strong heuristic engine. It might dig something up.



    Technodrome
     
  11. Tinribs

    Tinribs Registered Member

    Joined:
    Mar 14, 2002
    Posts:
    734
    Location:
    England
    A very worrying situation indeed. Keep us posted on anything you find out please
     
  12. JHaWz

    JHaWz Registered Member

    Joined:
    Apr 2, 2003
    Posts:
    11
    I will keep you updated if I find any solutions.

    I have tried 3 different Windows and 4 different Linux, so it isn't any of the OS I install after format.

    I think this is a good example of how deadly a virus can be. Even if you keep the Av up to date, and scans reguarly!

    Will try the NOD32 and see if it could do some help

    THX for all the replays ;)
     
  13. JHaWz

    JHaWz Registered Member

    Joined:
    Apr 2, 2003
    Posts:
    11
    I tried NOD32. Got a error: "Physical Disk No. 2 - error loading active boot sector"
    What is that? That it can't load the boot sector because it is in use since i have booted up the computer?? Haven't used NOD before so I have no expirience with the prog.
     
  14. JimIT

    JimIT Registered Member

    Joined:
    Jan 22, 2003
    Posts:
    1,035
    Location:
    Denton, Texas
    The more I look at this, the more I think it's hardware related--not a virus.

    If you've recently installed hardware or moved your pc, try the following:

    1. Make sure all your cable connections are tight. No bent pins on the back of any drives. Are all the data cables "known good"? Can you test them?

    2. If you can get into CMOS, try to set everything back to default settings. Pay particular attention to the boot devices. If you can get to the physical disk section, make sure they are set to the auto detect setting. Check also the jumper on the back of the hdd (if present). Set it to master if it's alone on the channel.

    See if you can set the boot order to floppy/hdd/cd--in that order.

    3. If that doesn't work, you may have some unrepairable corruption on your hdd, or another hw failure (corrupt bios/bad chipset maybe) somewhere.

    My bet is you have a bad hdd. :(

    Good luck!
     
  15. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Jim,

    I tend to agree - although I do wish the problem could be spotted and solved.

    regards.

    paul
     
  16. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    I was thinking about that too, but he said " but then a blue smiley appears after" and I’ve never heard of "blue smiley" appearance during HD failure. Situation is kind of confusing! :rolleyes:


    Technodrome
     
  17. JHaWz

    JHaWz Registered Member

    Joined:
    Apr 2, 2003
    Posts:
    11
    @JimIT
    I thought that too, But found out that it's ok. And if it wasn't ok, what about the smiley?? I have done everything you said JimIT, several times. switched cables, flushed and restarted CMOS, and so on. It's a new HD (half year or so).
    The whole problem started after I formated the HD, and when I was going to boot up, The smiley appeard and it wouldn't boot any thing.
    So I am pretty sure this is a form of a advanced virus wich was started when I first cleared the MBR. If it had been some hardware failure, I dont think it could have booted up the OS in the first place. But now, after a month of trying to remove/repaire, I'm open for every resons.

    One thing is sure, if it's a virus, it's an advanced one.
    If I send an Email to Norton or any of the other AV companies, would they help me? Or is it anybody else wich have good experience and knowledge of MBR virus and simmilar?

    JHaWz
     
  18. Tinribs

    Tinribs Registered Member

    Joined:
    Mar 14, 2002
    Posts:
    734
    Location:
    England
    You can by all means send for help from the major av companies, they may be willing to help.
    Hopefully one of the friendly guys from Eset will see this, it may be worth mailing one of these guys and kindly asking for and help. :)
     
  19. Joosky

    Joosky Guest

    Hi guys, Jooske here from another location; just googled on this one with the original description, can this be of any help?
    http://www.soyousa.com/support/index.php?answer_id=94
     
  20. Joosky

    Joosky Guest

    Oops, didn't know as a guest could not re-edit my message, so here the part i mean to look from the other url above

    http://www.google.nl/search?q=cache:zAdXJMW5oSsC:www.soyousa.com/support/index.php%3Fanswer_id%3D94+%22Verifying+DMI+Pool+Data%22&hl=nl&ie=UTF-8

    System locking during boot up, stop at Verifying Dmi Pool Data...

    This could be due to the following;
    1. memory may not stable. - try use one stick of ram at a time.
    2. Hardware conflicts - try remove all the unrelated add-on card.
    3. Cmos data get corrupted. - Try clear Cmos.
    4. Floppy drive is bad or not connected right. - make sure the cable is not loose and the red-stripe of the cable is line up with pin 1 of the Fdd drive.


    Ï also surf on this MBR virus
    http://www.pestpatrol.com/PestInfo/db/s/stormbringers_instant_stealth_mbr_virus_remover.asp
    http://www.geocrawler.com/archives/3/145/1997/12/0/618136/
    You tried all this already
    http://www.itechs-systems.com/articles/a5.htm


    Did you disable the bootscan in the BIOS before you did format c:\ as this could block the clean format process.
    Also, is your hd compressed? or the virus itself?

    Added URL tags
     
  21. JHaWz

    JHaWz Registered Member

    Joined:
    Apr 2, 2003
    Posts:
    11
    Thanks Joosky, but I have ytied all the things that you and the sites mention, and no luck :'(

    None of the AV companies could help either. Just saying update your AV and tell us what it reports...

    Anyway... looks like I need to low level format the HD...
     
  22. JimIT

    JimIT Registered Member

    Joined:
    Jan 22, 2003
    Posts:
    1,035
    Location:
    Denton, Texas
    I can imagine that this is very frustrating, so if I'm repeating something you've already done, my apologies! :)

    Regarding the "blue smiley": If your hdd's boot sector is hosed, sometimes you can get a bunch of ascii gibberish. More, or less, depending on how far the boot gets.

    A couple of questions:

    Have you downloaded and run a current version of f-prot for DOS using floppies to boot, and run the a/v from a DOS command line?

    (Just clarifying...)

    Can you boot with a clean w98 boot disk and run scandisk with the /autofix switch?

    You might try a fresh hdd (if you have one handy) in that machine, and see if you can get an o/s on it, and then a good boot. This will pretty much eliminate the bios/chipset as potential problems.

    Good luck! Please keep us posted!
     
  23. JimIT

    JimIT Registered Member

    Joined:
    Jan 22, 2003
    Posts:
    1,035
    Location:
    Denton, Texas
    HDD's are weird. One minute they are fine, the next they can be gone. I've seen it happen so often, it's mind-boggling!
     
  24. JHaWz

    JHaWz Registered Member

    Joined:
    Apr 2, 2003
    Posts:
    11
    That the HD is bad could very well be the reson, but then again, I can't understand the smiley.

    I can boot from a win98 boot disk and run scandisk. (but doesn't help).
    I am running on another HD now on the same computer. The "bad" hd is mounted and working exept that I cant boot from it.

    Have run the F-Pros DOS, but not from command line, wil try that.

    Will try a couple of tries to find the (if it is) virus, if not low level format. If that doesn't help, I dont think any thing would help.
     
  25. JimIT

    JimIT Registered Member

    Joined:
    Jan 22, 2003
    Posts:
    1,035
    Location:
    Denton, Texas
    Hmm. That says a couple of things:

    1. The bios is ok on your machine. Which means you have apparently narrowed it down to a problem with the hdd.

    You probably have one of the following:

    1. A corrupt physical area in the boot sector of your hdd. (Which I'm betting is the case.) :doubt:

    or

    2. A boot sector virus, which F-prot/DOS *should* find if you boot from a floppy and run the program from a DOS command line.

    Also, before you do this, if you have a rubber chicken, this is a good time to wave it slowly over the machine. ;)
     
Loading...
Thread Status:
Not open for further replies.