insane boot virus

[sgtmayhem4]

ok check this...

Whenever I reboot/shut down, upon booting up I get an error message saying "the file c:\\WINNT\system32\config\system is corrupt or missing, please attempt using the w2k repair thingy." Knowing that this usually formats the drive, i chose to see what was wrong. I found that if I hook up my hd to a working computer as a slave drive and put it the w2k cd, i can copy that system file and place it in the proper directory on my hd, enabling me to boot. But, when i shut down, the corrupted system file is back again, making me repeat the process. WTH???? I'm guessing this virus loads when i shut down, any thoughts? please

 

[akloster2]

There was a thread somewhere, i think in this forum, that talked about issues with system file corruption because the OS turns off power before the disk is finished purging the writeback cache. The workarounds are to either disable writeback caching or to, instead of doing a shutdown, do a restart, then kill power during post.

 

[sgtmayhem4]

how do i disable the writeback caching?

 

[akloster2]

Try Device Manager, Disk properties. There should be a tab for the writeback cache. Might slow down performance though.

The other workaround is to change CMOS Setup to prevent poweroff on shutdown. That's probably the best fix. After it says okay to kill power, wait a couple seconds.

 

[wolluf]

If you think you've got a boot virus, you should run a dos based floppy virus rescue disk (with tab set so its read only) to scan your boot sectors. This will at least eliminate or confirm presence of virus - and remove it if its there.

If its not a virus - you could try running repair for 2k (this doesn't format the disk, it just attempts to repair the parts of the operating system you choose) - you'll probably need an ERD (Emergency Recovery Disk) to get this to run. Or if you have previously (recently) backed up the registry (while creating an ERD) you could manually replace c:\WINNT\system32\config\system with the backup using Recovery console. The Backup will be here C:\WINNT\repair\RegBack\system. If that's not available, there is also C:\WINNT\system32\config\SYSTEM.ALT, which after renaming C:\WINNT\system32\config\SYSTEM to say C:\WINNT\system32\config\SYSTEM.save you could rename to C:\WINNT\system32\config\SYSTEM (note: you should save the original before rerplacing it anyway). You can do all this from recovery console.

PS. Another reason for corrupt sysem file messages is bad hardware.

 

[Jasen]

A corrupt /config/system is not uncommon and does not indicate a virus offhand. It's a corrupt registry hive.
I've had mixed success with that error, sometimes what wolluf suggested works... and sometimes I had to just reinstall. If it happens more than once on the same machine, I'd definitely start looking at the hardware and drivers. ________
Remember, you're unique... just like everyone else.

 

[sgtmayhem4]

ok 2 questions:
1. do i have to make an ERD on the infected computer? well, before it got infected, or will any ERD work? If i make one on another system will I lose all my settings?

2. I believe that doing a recovery will DEFINITELY format the hard drive. Maybe in like 1 out of 20 cases it won't, but, from previous experience, it will. Unless it wont in this particular case because it's actually telling me the error and to cure it by doing recovery.

thoughts...?

 

[sgtmayhem4]

ok let me vent to see if something recent may have done this.
Lately i've :
-upgraded the driver for my GeForce 3 Ti200 video card
-installed Americas Army game
-discovered and removed transponder spyware prog (you probably have that too)
-downloaded 11 security updates from microsoft:
Q311967
Q313450
Q313829
Q314147
q323172
Q324096
Q324380
Q326830
Q326886
Q329115
Q329834

 

[sgtmayhem4]

more information

This is what is making me think I have a virus. When i hook up my hd as slave on another computer, the file \system32\config\system appears TWICE, one however many kb's large (the correct file) and the other over 4 mb's large. I figured out that all I have to do is delete this 4 mb system file, then I can boot up.

 

[akloster2]

If you have the hd hooked up as a slave, can't you run a virus checker on it?

I still think the power is leaving the disk drive before the cache is written to platter. Make it so you have to physically turn off the PC after a shutdown. Just a couple extra seconds might help it complete the system file write.

And yes, do a backup with just ERD selected. Put it on floppy. You should then have a recent copy of system in \winnt\repair\regback.

BTW - I personally like Symantec Systemworks. It has the one-button fix that cleans up the registry nicely and keeps the system optimized. Might want to invest in that. I bought a free-after-rebate copy somewhere.

 

[sgtmayhem4]

I am able to boot up the hd after i delete the 4 mb file named "system". I installed and ran norton 2002, but it found nothing, leading me to believe it may not be a virus. But i'm still wondering why, when i get it booted up, I have two system files, one like 60 kb's large and another that is 4 mb large, it is reading from the 4mb file.