Solved

boot sector virus

Posted on 2011-02-10
36
951 Views
Last Modified: 2013-11-22
i have a vista 32 bit home pc. i have run GMER and it reports a boot sector virus.
if i try to boot up in safe mode the pc will reboot.
it reboots while running a complete scan with GMER and it reboots when trying to run COMBOFIX. i have also renamed combofix when i try to run it.
CA Total defense will remove spyware but of course it returns. but i cannot get anything to fix the boot sector issue.
It came with a E Machine restore cd and i could do a system restore.
anyway to repair the boot sector virus.
0
Comment
Question by:russgarrett
  • 20
  • 13
  • 2
  • +1
36 Comments
 
LVL 23

Expert Comment

by:edbedb
ID: 34866874
0
 
LVL 29

Expert Comment

by:Sudeep Sharma
ID: 34866914
The virus in the MBR is hard to remove if you have already booted the system. However to remove the MBR virus you would need to re-create the MBR of the system.

How to fix the MBR on Windows could be found below. Please follow the steps and let us know of the result.

http://www.lancelhoff.com/how-to-fix-vista-mbr-repair-broken-vista/
http://www.planetmy.com/blog/how-to-fixmbr-using-windows-vista-bootable-disk/

How to use the Bootrec.exe tool in the Windows Recovery Environment to troubleshoot and repair startup issues in Windows
http://support.microsoft.com/kb/927392

How to fix MBR in Windows XP and Vista
http://helpdeskgeek.com/how-to/fix-mbr-xp-vista/

I hope that would help

Sudeep
0
 

Author Comment

by:russgarrett
ID: 34867030
TDSSKiller seems to have fixed the boot sector. GMER did not detect it when i ran it.
However, during the GMER scan the pc gave a blue screen and then a memory dump as before.
what next if the boot sector virus is gone?
0
 
LVL 23

Expert Comment

by:edbedb
ID: 34867045
I would do a scan with MalwareBytes.
http://www.malwarebytes.org/

And do a complete scan with you up to date AVS
0
 
LVL 38

Expert Comment

by:younghv
ID: 34867214
With both MalwareBytes and ComboFix, you must use the "Save As" (with Internet Explorer) function and save them as a different name.

You cannot download them and then rename them.

Another very solid program to use (no installation on your HDD) is HitManPro:
http://www.surfright.nl/en/downloads/
0
 

Author Comment

by:russgarrett
ID: 34875180
the virus' and or spyware seem to all be gone but the machine is very slow and processor utilization is high and memory is at 75%.
i cannot see what is using up so much of the processor time in Task Manager .
i am diabling all service and re booting to see what happens.

any other ideas?
0
 
LVL 23

Expert Comment

by:edbedb
ID: 34875197
Use Process Explorer to see what's using all the CPU time.
http://technet.microsoft.com/en-us/sysinternals/bb896653
0
 

Author Comment

by:russgarrett
ID: 34875200
even with all processes disabled utilization is 75% to 100% and 35%. it bouces up and down.
0
 

Author Comment

by:russgarrett
ID: 34875682
it seems to be a process called TRUSTED INSTALLER PID WAS USING 75% at start up. After a few minutes it went away but it did just come up after installing 8 updates. but that was 15 minutes ago.

now service host.exe is using 12 to 15 % constantly and directly under that is WmiPrSE.exe.PID is 800.

this was from sysinternals process explorer.

what next?


0
 
LVL 23

Expert Comment

by:edbedb
ID: 34875813
Have you tried running ComboFix as suggested since eradicating the Boot infection?
0
 

Author Comment

by:russgarrett
ID: 34875828
the machine reboots when i try to bring it up in safe mode. it crashes while running GMER and COMBOFIX.

i just ran HITMAN PRO and I will run COMBOFIX again shortly.
0
 
LVL 23

Expert Comment

by:edbedb
ID: 34875861
Okay, keep us posted.
0
 

Author Comment

by:russgarrett
ID: 34876039
when running combofix it stops and says PEV.cfxxe has stopped working..

0
 

Author Comment

by:russgarrett
ID: 34876146
combofix has been running for 30 minutes and is only at stage 4. will wait to see what happens after a reboot.  at least it is not crashing now.
0
 
LVL 23

Expert Comment

by:edbedb
ID: 34876194
Is it progressing or has it been on stage 4 for 30 minutes?
0
 

Author Comment

by:russgarrett
ID: 34876210
it is progressing. it has shot to 41!
0
 
LVL 23

Expert Comment

by:edbedb
ID: 34876222
Hopefully it is doing it's job, please post the log for review when it finishes.
0
 

Author Comment

by:russgarrett
ID: 34876525
it is stuck at deleteing folders \\appdata\adobe\plugins for about 30 minutes. i will just give it more time.

it did delete 2 files prior to this.

0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 23

Accepted Solution

by:
edbedb earned 500 total points
ID: 34876579
Okay, if you get tired of waiting you can either just try it again (I would) or maybe try Avira AntiVir Rescue System.
http://www.avira.com/en/support-download-avira-antivir-rescue-system
0
 

Author Comment

by:russgarrett
ID: 34876582
it is now making the log
0
 

Author Comment

by:russgarrett
ID: 34876607
the file under ORPHANED FILES was a .exe file. if you google it you will find that is a virus. but should have been removed from previuos scans. combofix.txt
0
 
LVL 23

Expert Comment

by:edbedb
ID: 34876652
I see that bootkit is back.

I would give the Avira AntiVir Rescue System I suggested earlier a try. Then post any logs it creates.

I have to call it a day but will check back early AM.
0
 

Author Comment

by:russgarrett
ID: 34876657
ok
0
 

Author Comment

by:russgarrett
ID: 34876920
so far after hitting alt f7 to get to the gui all i get is a black and what checkered screen with a mouse pointer in the middle that i can move around.
it does flash green across the top of the screen about one a minute.
i did choose the default option at boot up.
i will just let it run.
if the boot sector is infected again do you think TDSSKiller may work?
this is becoming futile.
0
 

Author Comment

by:russgarrett
ID: 34876955
burned another cd and it is working. hope the download i did has current updates on it.
checked boot sector and it had 5 warnings and i saved the short log.
running full scan and will check later
0
 
LVL 23

Expert Comment

by:edbedb
ID: 34878005
"if the boot sector is infected again do you think TDSSKiller may work?"

I am hoping this will take care of that and at the same time also remove whatever is causing it to keep coming back.
0
 

Author Comment

by:russgarrett
ID: 34878911
ran boot sector with action set to RENAME. it found 5 warnings.

ran full scan with action set to RENAME and it found 12 what seem to be JAVA virus' and 2 warnings. 1 of the warnings had to do with DOT NET 4.0 . SAme result when ran scan second time.

ran full scan set to CLEAN or REMOVE, i don't remember what it calls this action, and 13 virus were cleaned. The DOT NET 4.o warning says BAD COMPRESSED DATA on NETFX_CORE.MRR. Last 2 characters of extension may not be RR i cannot make out the characters.

i am running clean for the second time and so far no errors halfway through.

Should i run a boot sector CLEAN or REPAIR next or not?

i will then send you the logs if you like if i can before i have to leave. Scan is halfway done.
0
 

Author Comment

by:russgarrett
ID: 34879045
here are the logs. Wonder is i should run the DOT NET FIX utility and reinstall JAVA.

utilization is still high when booting in safe mode. rescue-system-scan.log rescue-system-scanBOOT-CLEAN.log rescue-system-scanCLEAN-2.log rescue-system-scanfull.log
0
 

Author Comment

by:russgarrett
ID: 34879047
i hope the file description is correct or obvious to you. forgot to look.
0
 
LVL 23

Expert Comment

by:edbedb
ID: 34879058
I am reviewing the logs now.

I would run a scan with TDSSKiller to see if it comes up clean.
0
 

Author Comment

by:russgarrett
ID: 34879072
It is automatically installing updates.  Then I will run TDSSkiller
0
 
LVL 23

Expert Comment

by:edbedb
ID: 34879081
Okay, if TDSSkiller comes out clean and the system is running as it should, you should be all set.
0
 

Author Comment

by:russgarrett
ID: 34879168
it came out clean so a little time will tell if it comes back maybe by tomorrow. it is still slow.

If Malwarebytes or combofix does not solve the problem i usually copy the data to a external drive and scan the data with another antivirus. Then re format the pc and load the programs and then the data. the pc is for sure fixed and runs faster. usually takes about 2 hours.

would you recommend if MalwareBytes, TDSSKiller or Combofix does not fix the problem to use the AVIRA rescue cd and if that does not work re format? but the AVIRA took an hour to run anyway.

Is AVIRA usually the best overall antivirus? i have used it before and it worked.i know there is no perfect antivirus.
0
 
LVL 23

Expert Comment

by:edbedb
ID: 34879261
To be honest, I have never used Avira but I will try that rescue CD in the future. I recommended it to you because it looked like it was just what you needed.

Re-formatting and re-installing the OS is at the very bottom of my list. It's been well over 10 years (Win 98) since I have done it. My system takes exactly 1 minute from the time I power it on to being fully started.

If you do it all the time and you don't think you spend the next few weeks stopping what you are doing to install software or updates that you erased by doing that, then it might be your best option.

However if you want to get your computer straightened out and maybe learn something on the way, I will be happy to help.
0
 
LVL 38

Expert Comment

by:younghv
ID: 34882397
You never responded to my suggestions at http:#a34867214

It appears as though you may have some variant of "Total Antivirus 2009" - which a properly downloaded and updated MBAM scan will fix.

You ran ComboFix with your anti-virus "enabled", which can often lead to sporatic results.
0
 

Author Comment

by:russgarrett
ID: 34888944
avira rescue cd did the trick.

Nextime if MalwareBytes doe not work i feel like just running a rescue cd.

thanks
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Change your password...do it now!. Probably the easiest point of access to your account is through guessing your password. If your password is guessable, do change it now. If not for your sake but for everyone else in your friends list. Remember …
PREFACE The purpose of this guide is to explain how to manually move a SEP client to a different client group by performing steps on the client-side. These steps may prove particularly useful because they allow the client to move after it has alrea…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now