Could this be a BIOS or MBR virus??

Discussion in 'malware problems & news' started by q1aqza, Mar 22, 2005.

Thread Status:
Not open for further replies.
  1. q1aqza

    q1aqza Registered Member

    Joined:
    Jul 27, 2004
    Posts:
    312
    I think I might have picked up some kind of BIOS or MBR virus. NOD32, KAV5 nor F-Prot for DOS have not found anything but I think there is something strange going on. NOD32 and KAV were run from my XP partitions as I don't have an AV installed on my ME partition, and I ran F-Prot for DOS when booting from a boot floppy.

    I run a multi-boot setup and my primary partition C: is Windows ME, and I have 3 XP Pro partitions. The problem I'm experiencing is that it takes an age to boot into Win ME and when it finally loads launching any apps takes ages. The mouse pointer is slow to respond and jumps around the screen (not randomly, just to wherever I tried pointing to and it jumps after a delay). Also, in windows explorer some mysterious drive called 'local disk' appears as a drive D - all my partitions apart from C: are NTFS so in ME I only normally ever see C:. I can't access this mystery D: drive, it prompts you to format it but you can't. I've read that some MBR virus' can copy the original MBR to unused space on a disk to fool anti-virus scanners which is why I think F-Prot and KAV are not finding anything, I think this might be what this mysterious D: drive is. All the XP partitions boot and operate normally.

    I haven't made any changes to ME, no new apps or drivers, no new hardware, in fact I hardly ever use it except when I play a few games. I tried restoring a known very clean image and the problem was still there - the image was an Acronis TI partition image, not a disk image so I unfortunately haven't got a back up MBR. I have tried fixing the MBR using the XP recovery console but it hasn't solved the problem.

    If it is a BIOS virus rather than MBR, how could I scan it or tell if it is infected? And how can you fix it?

    I've resigned myself to the fact that I am probably going to have to FDISK and re-install ME, and 3 x XP pro and then restore all my clean partition images - if this solves it I will take a full disk image so I will at least have a back up MBR in case this happens again in the future.

    If anyone has ever experienced this and can offer advice I would be very grateful, otherwise I will be upsetting the wife this Easter weekend when I spend a whole day rebuilding my PC :'(
     
  2. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    Try running the AVPDOS32 DOS scanner - see what it says.
     
  3. q1aqza

    q1aqza Registered Member

    Joined:
    Jul 27, 2004
    Posts:
    312
    I've found where to download it from. Hopefully I'll get to try it in the next couple of days.

    I have also since borrowed a copy of Sophos from work which, so I'm told, has a very good dos scanner. Anyway I ran it and it also didn't find anything nasty in the MBR, however, it did say 'two records scanned'. This makes me think that I do indeed have two MBRs and that whatever caused it has been cleaned up by KAV without without me realising it. Either that or somehow my MBR has been corrupted and it only affects Windows ME.

    I've been planning to get a new hard drive sometime soon so I may bring that purchase forward and rebuild anyway.
     
  4. Sweetie(*)(*)

    Sweetie(*)(*) Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    419
    Location:
    Venus
    Hi, i dont think you have a Virus, its more probable that somthing has gone wrong because your running so many operating systems, have you considered using the Windows XP multiple accounts instead of having 3 installations you can have 1 with the same results.

    To fix the Master Boot record try this;

    1. Boot with the XP installation CD.

    2. When prompted, press R to repair a Windows XP installation.

    3. Select the appropriate OS to repair

    4. Enter the administrator password if prompted

    5. Type the following command "fixmbr"

    6. Type y and ENTER to fix the MBR

    7. Type exit to leave the recovery console and reboot


    You will be presented with several scary warnings, the reading of which will make you want to say no. Microsoft is exceptionally vague regarding the conditions under which fixmbr can cause problems although they are clear about the consequences (losing all data on the hard drive), so use this at your own risk.
     
Loading...
Thread Status:
Not open for further replies.