Help with virus, still present after format

Discussion in 'malware problems & news' started by Fraha, Jun 28, 2004.

Thread Status:
Not open for further replies.
  1. Fraha

    Fraha Registered Member

    Joined:
    Feb 3, 2003
    Posts:
    189
    Location:
    The Hague - Netherlands
    Hi,

    Fist I want to know for sure what the name of this virus is.

    It is the one that reboots te PC time after time and is counting down. I think it's Sasser or sars or something similar, is it?

    Problem is, no software can remove it. Not the util from Microsoft, and not the one from Norman.
    The STINGER vrom McAfee does noet even see it!

    Now I formatted the c: drive and reinstalled XP pro completely and still this thing is here! So it's a boot sector virus.
    Problem is, I can't seem to remember how to remove a bootsector virus! It was something like /MBR involved. Can anybody help me with this one?
    It's not on my computer but I'm certainly going back tomorrow the nuke this thing!

    Please help!

    Frans
     
  2. dread

    dread Registered Member

    Joined:
    May 18, 2004
    Posts:
    195
    The 2 famous ones that does that is blaster and sasser. The only viruses that can hang around after a format is a memory or boot virus. To rewrite the mbr the command is fdkisk /mbr. Them 2 are worms not memory resident or boot viruses. How are you formating? If you are using a floppy disk make sure it is clean and make sure you write protect it, if not it does no good. It will just infect the computer and if the computer isnt clean it can infect the floppy drive to and you will get in a circle of none stop infection and wondering whats going on. I would goto a clean non infected computer, one that you know is protected, clean and updated and make one of them disk like mcafee trend and norton has and bootup to it and let it scan. If you cant make one of them if you have another computer or freind that doesnt mind, pop the harddrive out and stick in the other computer just let the owner of the other computer know your infected and make sure he/she is protected and scan it. Or look at this, its beta but its good http://www.networkassociates.com/us/downloads/beta/cleanboot/ it will allow you to make one of them boot disk to scan computer to floppy or cdrom. What av are you using? Have you tried the online scans? By the way them tools that mcafee and norton has is only for certain ones not all of them. If you havent ran any online scans here is some to run http://housecall.antivirus.com/housecall/start_corp.asp
    http://www.mcafee.com/myapps/mfs/default.asp http://security1.norton.com/ssc/vc_scan.asp?langid=us&venid=sym&plfid=23&pkj=GRCBPWFYJOKMFIDPMSV
    http://www.bitdefender.com/scan/
    http://www.pcpitstop.com/antivirus/default.asp
    http://www.pandasoftware.com/activescan/com/
    But the best bet is make one of them disk and bootup to it and let it scan. Any time I cant find the virus and suspect I have one and cant find anything on it, I check the comp with one of them disk. And check your startup entries and do ctrl alt del and see if you see anything strange or unkown running. Just remember if you make one of them floppy disk, the floppy and computer has to clean and the floppy needs to write protect. If you dont tell windows xp to format during a installation and if it detects windows is installed it will want to repair, a repair install is not formating, you have to tell it during the windows xp installion to format it.
     
  3. Fraha

    Fraha Registered Member

    Joined:
    Feb 3, 2003
    Posts:
    189
    Location:
    The Hague - Netherlands
    Hi and thanks for this lengty explanation! Great work

    I did ask to format it (NOT the fast way) and after all was done, the countdown started again.

    I'm using NorMAN AV on my own, clean, machine :rolleyes:

    Tomorrow I'll go back and try the clean boot floppy from norman if i can find it or from some other top ranked AV such as McAfee or F-prot
    Personaly I don't trust NroTON a bit, but that is personal and goes back a long way.

    But I still down't understand the bootsector part. This will live after a format ?
    Bummer!

    More info tomorrow!

    Frans
     
  4. meneer

    meneer Registered Member

    Joined:
    Nov 27, 2002
    Posts:
    1,132
    Location:
    The Netherlands
    Get the Bitdefender bootable cdrom (LinuxDefender Live! CD). It's a linux (don't be afraid), but it will find windows virusses and worms, even on the ntfs file system. Big advantage: it's not vulnerable to windows infection.
     
  5. Fraha

    Fraha Registered Member

    Joined:
    Feb 3, 2003
    Posts:
    189
    Location:
    The Hague - Netherlands
    Thanks,

    The time works against me. i hope I can get this info on a CD .
    Never done that before. Is the bootsector included in the ISO or do I have to make a setting for that in f.i. NERO ?

    Connection is slow, takes me 45 minutes to dl!

    Let's see what happens!

    Frans
     
  6. JimIT

    JimIT Registered Member

    Joined:
    Jan 22, 2003
    Posts:
    1,035
    Location:
    Denton, Texas
    I don't think it's "sars". :D

    You have to tell NERO (or whatever) to burn the cd *as* an ISO.

    What is the exact error message you're getting?

    Are you reinstalling XP from an image or from the original XP cd?
     
  7. Fraha

    Fraha Registered Member

    Joined:
    Feb 3, 2003
    Posts:
    189
    Location:
    The Hague - Netherlands
    OK, learned another thing today. The image is written and it works.

    But my knowledge of linux is zero so i cannot get the scanner to work! I simply cannot find out how to scan my HD's and my bootsector and all that.

    all it 'sees' is the cd and some linux folders. What is the trick here? Did i make a wrong selection somewhere?

    LINUX looks and feels good! Perhaps I should make a dual boot system of this PC! Thinking about it!

    Thanks

    Frans
     
  8. meneer

    meneer Registered Member

    Joined:
    Nov 27, 2002
    Posts:
    1,132
    Location:
    The Netherlands
    If all went well after booting, you should see the graphical KDE environment. Hard to tell you what to do right now, but you should be able to browse your filesystems. One of them will be a mounted ntfs partition, containing your windows partition.
    Browsing probably is possible from either the linux KDE desktop icon, or from the 'K'-button in the bottom left where Windows has the 'start' button. There you'll find a filemanager tool in the main menu or in the system section.

    When browsing the windows partition, right-click the windows drive and choose scan with bitdefender. I'll try this later tonight on my own system if this fails on yours (sorry, all from memory this ;))
     
  9. Fraha

    Fraha Registered Member

    Joined:
    Feb 3, 2003
    Posts:
    189
    Location:
    The Hague - Netherlands
    Strage enough did this cd not work on my other AMD machine!
    The monitor went asleep and no more ctivity from then on.

    Strange.... This one is also AMD but a bit older...

    I'll try this on the viral machine in a few hours!

    I'll be back.

    ;-)

    Frans
     
  10. Fraha

    Fraha Registered Member

    Joined:
    Feb 3, 2003
    Posts:
    189
    Location:
    The Hague - Netherlands
    OK, now I'm totally STUCK here! o_O o_O o_O

    I booted the viral pc up with an original XP-pro CD and let it format as ntfs the whole disk of 40 Gb

    After that wasd done all seemed wel, but before i could start installing anything, the countdown was back again!
    How the ho_O is this possible? The popup screen tells me Isas en goes counting down for 1 minute. This can be stopped with the famous shutdown -a command.

    No scanner finds ant problems, I'm beginning to think its a hardware problem in stead of a virus/work/whatever

    NOTE: I never got a chance to install a real AV program because the system hangs too often. I did scan this with STINGER, sasserfix2 and I even tried Blasterfix. all in safe mode off course.

    No detection at all. Problem still present. What on earth can be the problem here??

    Any insights? I hope so because I'm out of options...

    :blink:

    Regards

    Frans
     
    Last edited: Jun 29, 2004
  11. meneer

    meneer Registered Member

    Joined:
    Nov 27, 2002
    Posts:
    1,132
    Location:
    The Netherlands
    Did you install while there's an network connection? If so, reinstall without the network cable. Then first activate the xp firewall and only then plugin your network. It looks like there's a sasser infected system nearby.
     
  12. Fraha

    Fraha Registered Member

    Joined:
    Feb 3, 2003
    Posts:
    189
    Location:
    The Hague - Netherlands
    BZZZZZ!!!

    Wrong answer!! ;-)

    The Network cable was never disconnected but there was no network defined. The cable was/is connected to the (Wanadoo) cable modem.
    As I did a total format and re-install of XP pro there was no definition for connections to the internet
    TCP/IP was available but not active at that point. I take it that you must first login to get infected?

    Frans
     
  13. meneer

    meneer Registered Member

    Joined:
    Nov 27, 2002
    Posts:
    1,132
    Location:
    The Netherlands
    Wrong system :p

    XP is clever in attaching to networks, I bet you don't need to be logged in to get sassered...
    But the experts may disagree ;)
     
  14. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,763
    Location:
    Texas
    Disconnect while you format. Activate the firewall before going on line to get all updates that you need. Blaster or Sasser are out there.

    INFO
     
  15. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    You might try downloading Eraser (http://www.tolvanen.com/eraser/) and creating (and running) a "nuke disk", this would probably be the easiest way to ensure that you have gotten rid of everything on the disk (including the MBR) without going into the more technical methods.

    Before you do this, you might download AutoPatcher (http://www.autopatcher.com) and burn it to CD. It contains all of the Windows Updates plus a bunch of other goodies, and is a very handy thing to have around in any case.

    I second what the others are saying, too, disconnect the network cable from the computer altogether until you've got it patched and firewalled.

    A couple of other things to pick up would be:

    Black Viper's "Windows XP Services Registry Files" http://www.blackviper.com/WinXP/registry.htm scroll down a couple pages to "SAFE" Windows XP Services Configuration and make sure you get the right file for your version of XP, Home or Professional, and make sure to get the Default Windows XP Services Configuration right above it, in case it causes something not to work. It's also worth going through the configuration page to see what everything is and does, but this will at least get you going until you have time to read up

    And DCOMbobulator (http://www.majorgeeks.com/download3987.html)

    The two of those can go a long way in keeping these things at bay, not to mention improving the performance of XP.
     
  16. Fraha

    Fraha Registered Member

    Joined:
    Feb 3, 2003
    Posts:
    189
    Location:
    The Hague - Netherlands
    There is NO connection! The modem is on and able but not logged on. Still have to disconnecto_O? I must know this because I want to understand what is going on in this case.
    And I need to no howe to cure this on other systems if they get targeted.

    So please, can anyone explain?

    Frans
     
  17. Fraha

    Fraha Registered Member

    Joined:
    Feb 3, 2003
    Posts:
    189
    Location:
    The Hague - Netherlands
    OK Notok and thanks for all that info

    I've downloaded all you mentioned and I will look into this. Espescially autopatcher. Looks like a great utll for us simple folk who try to help friends who has even lesser knowlidge then myself!

    Frans
     
  18. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    You never know when Windows is going to "help you out" and reset everything for you, as meneer mentioned, but no connection is possible if the cable is not physically plugged into the modem. Seriously, it only takes a second to unplug. I would rather spend the extra second to unplug it then chance having to spend several more hours reformatting and reinstalling all over again.

    Black Viper also has an article about with this particular kind of bug and dealing with them:
    http://www.blackviper.com/AskBV/tech10.htm
    Notice at the bottom of the article he also suggest disconnecting completely from the network while reinstalling.

    Shutting off unnecessary services and running DCOMbobulate can go a long ways towards preventing infections in the first place.

    As an added bonus, Autopatcher will also save you a lot of time installing not only patches, but all the other little things you have to install when reformatting. Run it, put a check next to the stuff you want installed, start the installation and go get something to eat. When you come back it should be ready for you to install your personal collection of software. If the computer is slow, go watch a movie too.

    I've already mentioned these programs quite a bit in other threads, but Pivx' Qwik-Fix (http://www.majorgeeks.com/download4033.html) and Prevx (https://www.prevx.com/homeoffice/prevxhome/prevxhome.htm) may be worth considering, too. They are both free and can both prevent some of the actions taken by these kinds of bugs. They do two different things, so I run both of them on my system, but I haven't had any problems with them. The only downside is that together they take over 20MB of RAM.
     
    Last edited: Jun 29, 2004
  19. Tatersalad

    Tatersalad Registered Member

    Joined:
    Mar 24, 2004
    Posts:
    76
    Most hard drive manufacturers have a free utility for writing zero's to the hard drive. Delete the primary dos partition and change the intalation path from C to D. Many nasties can run on a machine without a C:\windows folder.
     
  20. Fraha

    Fraha Registered Member

    Joined:
    Feb 3, 2003
    Posts:
    189
    Location:
    The Hague - Netherlands
    OK, the problem is solved.

    The problem was the connected network cable to a cable modem.

    After disconnecting and re-installing we put on the XP firewall and started to install the modem software Downloaded and installed Norman AV and Firewall and went on with windows update.

    All looks good now. I still need to instruct this user on how to keep his pc clean.

    The thing to remember here is that the popup counting down on itself is NOT a virus! That's where I went the wrong way!
    It's only an attack wich will ben killed right after the firewall is in place!

    Thanks for all the help!

    Frans
     
Loading...
Thread Status:
Not open for further replies.