Author Topic: Virus? (Read 413 times)

humble · « **on:** June 20, 2007, 10:22:50 AM »

Any help greatly appreciated....

My system is getting hosed and I'm stumped so far....

I've got all the signs of a boot sector virus but cant find anything. My XP hard drive is reporting as "BAD". I cant back anything up (I/O error/cyclic redunancy chk) but the system still works fine. My AVG wont detect anything. I ran housecall and system wouldnt let it even start. Downloaded and ran Kaparsky and it found nothing in the boot sector on any drive. Left it running overnight but found the kernal on my vista OS corrupt or missing. I had downloaded a dos based boot sector virus tool and a rootkit tool onto a flash drive...which I left plugged in. When I went to boot up my system to XP it found errors in the drive...when it recovered "orphan files" they were registry files so I clearly have something bad going on but cant even find the thing. My only other thought is a MB going bad and some type of controller error....

1) Is this a possibility

2) assuming it is a virus whats best current detection tool

3) My network storage is both local, flash and network. I have redundant backups on everything but if its a boot virus then all may be infected...best way to recover data (if possible) on a drive thats infected. I pulled my network storage drive off ASAP and hope its not affected. So far I have no actual data loss even on the original corrupted "bad" drive...which perplexes me.

Any suggestions appreciated....

Roscoroo · « **Reply #1 on:** June 20, 2007, 12:21:02 PM »

vista rc2 is supposed to get shut down sometime this month ..(i stopped using mine 2 months ago ) they may have sent out a code that my be shutting down other versons of vista too . (just a thought of another place to look)

I dont know if they have good dos pattern files for checking for vista bugs .

Spatula · « **Reply #2 on:** June 20, 2007, 07:04:17 PM »

Could it be a corrupted file system or failing hard-drive?
It could also be a corrupted master boot record? Whats that fdisk command which reinstates the MBR? Do we still even have fdisk utility anymore?

Vulcan · « **Reply #3 on:** June 20, 2007, 09:14:36 PM »

Sounds like bad ram.

humble · « **Reply #4 on:** June 20, 2007, 11:08:51 PM »

small chance its a bad controller....but my AV reported an attempt to corrupt it during install (Housecall was successfully comprimised). It also detected multiple attempts to modify or change various proccesses and explorer. But so far I cant find an actual virus. Going to reload OS on an extra HD and go from there.......

Optiker · « **Reply #5 on:** June 20, 2007, 11:23:39 PM »

Humble,
on the off chance you have a corrupted Master Boot Record, try this:

Open a dos prompt
Type FDISK/?

you shoud see the possible parameters you can add to the FDISK command

If Vista supports it, the command:
FDISK MBR will rewrite your master boot record

Can't hurt and may solve your problem

Regards,
Optiker

humble · « **Reply #6 on:** June 21, 2007, 02:21:54 PM »

Certainly will give it a try....I reloaded Vista and got a error on reboot after updated AV definitions. I ran Passmark standard burn in and everything passed including my "bad" drive. If nothing else I can run Fdisk on the XP OS....

Irwink! · « **Reply #7 on:** June 21, 2007, 03:55:22 PM »

The actual command in XP to repair the master boot record is FIXMBR. That's after you've booted from the cd and selected the repair option. You need to add parameters for the boot device if it is other than the system default. It sounds though as if your problems may be bigger than that. Whatever, good luck.

humble · « **Reply #8 on:** June 21, 2007, 04:21:55 PM »

From what I can find the most likely culprite here is a faulty "bootkit". This is a virus that exists solely in ram and takes over the Vista Kernal. There are a number of them out there that have been written as "white papers" on breaking DRM or other vista functions. Basically the bootkit sits dormant until it hijacks a suitable program and then loads in the bios. From there on it has no traceable address....it manipulates the kernal and provides false check sums etc...

My brother is indirectly involved (at a low level) with homeland security related (DoD) internet stuff and says that attacks of this type are becoming more prevelent. Basically it's the equivelent of siezing root/admin....once your in you have total system control.

"Bootkit"

He sent me a bunch of stuff, I've attached a link to one article.

Denholm · « **Reply #9 on:** June 21, 2007, 07:18:34 PM »

If the FDISK doesn't work, and you can get access to the Internet. Try out: http://safety.live.com

Not guaranteeing it will work, yet you can give it a try. It fixed a "Time Machine" virus I once had that got into my System RAM and almost killed my comp. Maybe you will get the same benefits.