Need Help with Unknown Boot Virus

I am trying to clean up a friends Laptop (Toshiba Satellite 2180CDT).
It is running Win98-Se.

Upon starting to desktop strange things started to happen, such as multiple apps were auto-starting. I cleaned out files from TEMP folder and CRT-ALT-DEL and terminated everything except for Explorer and Taskbar. This seemed to stabalise the system.

Installed Kasperskey 5.0 and immediately detected multiple infections of W32.FunLove.4070 virus. I ran a full system scan and Disinfected everything found. I had not updated virus signatures from net at this time.

Upon further inspection of Registry values: HKLM>Software>Microsoft>Windows>CurrentVersion>Run
HKCU>Software>Microsoft>Windows>CurrentVersion>Run

I found and Deleted references to OPSERVA Virus.

Just when I thought everything was stable, random Applications began auto-starting everywhere.

Upon restarting and entering the BIOS, strange stuff started to happen. BIOS options started to change by themselves, and I could not control the cursor.

Upon rebooting to DOS using a Start-up disk, I was unable to type anything legible. Some keys worked, others just spewed out gibberish. Then suddenly the PC just took over and started writing rubbish on the screen, line after line. Only option was to switch off. Damn, its Possessed!!!

Given the symptons, could anyone possibly put a name to this Beastie.

Does the Toshiba run a Hidden Diagnostics partions on the HDD?
Could the virus code be lurking in there?
Or is it already too late and has it infected the BIOS?

Any help appreciated. Thanks

ICOOCH.

 

Hi icooch.

Welcome to Wilders.

I'm not a virus expert, but that is some very unusual activity on your comp...

U might want to follow the instructions here,

https://www.wilderssecurity.com/showthread.php?t=50662

and see if it helps.

Post back and let us know how it went.



snowbound

 

Thanks for the reply Snowbound!

Unfortunately it's too late try anything in Windows.

I managed to boot from a Win98-se CD-Rom and began re-installing windows.
I got to the user input stage, (ie: CD-Key and User name etc.) and then the (virus?) started to autofill the input data with gibberish characters.
That's as far as I got.

I tried booting from a Dos startup disk to type Fdisk /mbr, to restore the master boot record, but was unable to even type this simple command.
It appers that the keyboard mapping is all screwed up. Certain key presses return a whole string of random characters.

I have a bad feeling that the BIOS is infected, hence the messed up keyboard mapping.

I was just hoping that somebody may have come across something similar and have a name for this (Virus?). At least then I would know what I am up against, and if it can be removed.

If it is a BIOS infection, then what are my options, if any?
If it is a Boot sector infection on the Hard Drive, then what are my options?

Thanks again.

 

Could a bad CMOS battery cause erratic behaviour like this?
Just a thought.

Thanks,

Icooch

 

Hi, if it is bootable or windows is installed you could try to slave it off another hard drive.

Failing this there is a free program that you run from dos, it will absolutly delete the entire hard disk, if you run it and flash your bios [also replace battery] I can't see it surviving.

http://dban.sourceforge.net/


[caution is required with this program, it works well and will wipe all info]

 

I've got nothing else to lose at the moment.

My only concern is whether the Toshiba has a "hidden" diagnostics partition and if so whether it is necessary to restore this partition prior to creating a bootable partition for Windows.

The Toshiba webiste is very vague on this model. I suppose that they prefer their service centres to handle problems like this (ie. $$$).

My other problem is that when I boot to DOS from a start-up disk, I can't use the keyboard to type the commands I need. Some key presses return a random string of characters.

Can I create a BIOS flash disk that will boot directly into the BIOS flash utility?
Or do I need to write a simple batch file to run off one key-press?

I really appreciate the advice. Thankyou!

Icooch

 

Hi, my brother has a Toshiba notebook [company supplied] that has displayed some strange behaviour, it appears to have a protection program for the start list, I've only had a quick look but I couldn't figure it out, apart from that im not too familiar with Toshiba's.

If it has a diagnostic partition it shouldn't be hidden, it may be accessable from DOS, not sure of the commands, possibly call the Toshiba help desk.

As for the keyboard, try an use a USB keyboard [although it may not work either]

Also may be worth considering that it has hardware problems.

Ill try and get some more info on the bios flash, for an any key start.

 

This link has instructions for updating the bios for your Toshiba model by pressing any key. You will need to create the boot floppy from another machine though.

http://eu.computers.toshiba-europe....rom=faq_selection&CFID=BIOS&FID=TRO0000000b07

The current Bios upgrade can be found here

http://eu.computers.toshiba-europe....=all&page=1&ID=3539&OSID=-1&driverLanguage=42

 

We may need an opinion from a virus expert, but this almost sounds more like a hardware issue to me. I've had/seen the exact same symptoms from shorted out keyboards. If you have a good keyboard laying around you might try plugging it into it to see if that's doing it, but since it's a laptop things can get a little more complicated. The virii you mentioned are relativly benign, I wouldn't expect anything like what you're describing from them, although it is possible that there is something else.

http://www.viruslist.com/eng/viruslist.html?id=3952
http://www.viruslist.com/eng/index.html?tnews=1001&id=57255