stubborn bug 2

[Gloryhound]

I believe I have a boot sector virus...

Symptoms include
Unable to boot to any form of safemode.
Unable to install any antivirus.
Unable to browse to any antivirus sites.

The stop error reported when trying to boot to a safe mode is 0x0000007B which support knowledge base at microsoft suggests is a bootsector virus.

any suggestions would be welcome

 

[Gloryhound]

I got stinger to remove 599 files infected with w32.bagle How ever I still have the same problems.. I've tried reinstalling IE and a repair install of windows 2k pro. Still can't access safe mode or antivirus vendor sites. nor install any antivirus.

 

[smah]

Sometimes you can sneak around this by visiting a site that hosts an AV scanner. Try

http://www.pcpitstop.com/antivirus/AVLoad.asp

 

[spizotfl]

check your hosts file at C:\WINDOWS\system32\drivers\etc. unless you have added anything, the only entry should be for 127.0.0.1.
that may be why you can't get to av vendors sites.

"Maturity is a bitter disappointment for which no remedy exists, unless laughter can be said to remedy anything."
-Vonnegut

 

[pechenegs]

Download the Hoster from:

http://www.funkytoad.com/download/hoster.zip

UnZip the file and press "Restore Original Hosts" and press "OK". Exit
Program.


Download hijack this from the link below.Please do this. Click here:

http://www.thespykiller.co.uk/files/hijackthis_sfx.exe

to download HijackThis. Click scan and save a logfile, then post it here so
we can take a look at it for you. Don't click fix on anything in hijack this
as most of the files are legitimate.




Download ewido!

http://www.ewido.net/en/

* Once you have downloaded Ewido Anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
* Once the setup is complete you will need run Ewido and update the definition files.
* On the main screen select the icon "Update" then select the "Update now" link.
* Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
* Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
* Once in the Settings screen click on "Recommended actions" and then select "Delete"
* Under "Reports"
* Select "Automatically generate report after every scan"
* Un-Select "Only if threats were found"


Close Ewido Anti-spyware, Do NOT run a scan yet. We will do that later in safe mode.



* Click here to download ATF Cleaner by Atribune and save it to your desktop.

http://majorgeeks.com/ATF_Cleaner_d4949.html

* Double-click ATF-Cleaner.exe to run the program.
* Under Main choose: Select All
* Click the Empty Selected button.
o If you use Firefox:
+ Click Firefox at the top and choose: Select All
+ Click the Empty Selected button.
+ NOTE: If you would like to keep your saved passwords, please click No at the prompt.
o If you use Opera:
+ Click Opera at the top and choose: Select All
+ Click the Empty Selected button.
+ NOTE: If you would like to keep your saved passwords, please click No at the prompt.
* Click Exit on the Main menu to close the program.


* Click here for info on how to boot to safe mode if you don't already know
how.

http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam

* Now copy these instructions to notepad and save them to your desktop. You
will need them to refer to in safe mode.


* Restart your computer into safe mode now. Perform the following steps in
safe mode:




Run Ewido!

# IMPORTANT: Do not open any other windows or programs while Ewido is scanning as it may interfere with the scanning process:
# Launch Ewido Anti-spyware by double-clicking the icon on your desktop.
# Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
# Ewido will now begin the scanning process. Be patient this may take a little time.
Once the scan is complete do the following:
# If you have any infections you will prompted, then select "Apply all actions"
# Next select the "Reports" icon at the top.
# Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
# Close Ewido and reboot your system back into Normal Mode.



reboot to normal mode and run a few online scans!


Make sure your ActiveX controls are set as follows:

Go to Internet Options - Security - Internet, press 'default level', then OK.
Now press "Custom Level."

In the ActiveX section, set the first two options (Download signed and
unsigned ActiveX controls) to 'prompt', and 'Initialize and Script ActiveX
controls not marked as safe" to 'disable'.


Active X settings

http://www.compu-docs.com/activex.htm

Run ActiveScan online virus scan here

http://www.pandasoftware.com/products/activescan.htm

When the scan is finished, anything that it cannot clean have it delete it.
Make a note of the file location of anything that cannot be deleted so you
can delete it yourself.
- Save the results from the scan!



post another hijack this log, the ewido and active scan logs

Member of ASAP Alliance of Security Analysis Professionals

under the name khazars

 

[Gloryhound]

pechenegs thanks.. but two hinderences to that plan.

1.) the host file is ok.. I already checked it. only contains 127.0.0.1

2.) System will not boot into safemode.. not even command prompt safemode. Always get stop error 0x0000007B

I have yet to hear of a spyware or malware that affects the MBR or bootsector, lol but then again that's why I'm here asking for suggestions. Oddly I have tried a number of anti-spyware program and all come up empty. It doesn't barf at Anti-spyware, just anti-virus.

Smah.. thanks for the suggestion I will try that site next possible opportunity.

Ok another odd piece of info. I tried copying across the network files.. to repair the missing files for norton antivirus that had already been installed on the system. dropped the file in the correct location, in this case NMAIN.exe and everthing looked cool. right clicked on the file and changed it's properties to "archive" and clicked "ok" poof the file was gone.. deleted. If I can get Hyjack this installed I may post a log. That kind of activity would likely be from a Tray prog, or stealthed process. anyone seen anything remotely like this?

 

[satrow]

Sounds like you'll need to rename Hijackthis before you'll have a chance to use it; you might consider running a rootkit revealer and Stinger too, renamed, of course.

 

[pechenegs]

try and run them in normal mode then and do waht you can! Post all the logs. As Satrow said, rename hijakc this to hijackthis.moon and run a scan and post its log!

Member of ASAP Alliance of Security Analysis Professionals

under the name khazars

 

[Gloryhound]

sorry guys.. there won't be any hijack this logs.. I decided to repartition and format. Made a back up of data and scanned the bahookey out of the files. double and triple checked the backup machine fore viruses and I am proceeding with a repartition and format.

 

[diogenes10]

Two partitions, one data and one programs are helpful.
Once you get program partition set up with basic stuff, Norton Ghost is a good cloning tool to reduce reinstall time next time around. Nice tutorial here:

http://ghost.radified.com/ghost_1b.htm

If you are in the states, CompUsa will sometimes have a rebate special on it too.

 

[paintballer]

Ah, but if he cloned it with Ghost, he might copy the problem across, right?

Again this is a great reason to compile your own BartPE disk with Anti-V, Anti-Spy, and a browser like FireFox, so you can boot to a different OS, from a CD, and be able to scan your system files, without worry of getting a virus on THIS OS, since it's running from a non-writable media.

Good stuff...

http://www.nu2.nu/pebuilder/

 

[Gloryhound]

Ohhh.. I didn't know about BartPe.. that rox. Thanks Paintballer

 

[paintballer]

No worries, I try to pass that nugget around as much as possible, I enjoy using it, AND telling people about it. It's especially useful as you add plugins to it. Just read his page, and follow the links to others that have built off of his original work.
Cheers,
Paintballer

 

[allteltec]

UBCD4win.com thay have a licensed Bert Pe that is a little easyer and lest trouble to build. I have been useing Bert Pe for close for two years now a lot of work in the begaining to build but a lot easyer now.