Link to home
Start Free TrialLog in
Avatar of russgarrett

asked on

boot sector virus

i have a vista 32 bit home pc. i have run GMER and it reports a boot sector virus.
if i try to boot up in safe mode the pc will reboot.
it reboots while running a complete scan with GMER and it reboots when trying to run COMBOFIX. i have also renamed combofix when i try to run it.
CA Total defense will remove spyware but of course it returns. but i cannot get anything to fix the boot sector issue.
It came with a E Machine restore cd and i could do a system restore.
anyway to repair the boot sector virus.
Avatar of edbedb
Flag of United States of America image

Avatar of Sudeep Sharma
The virus in the MBR is hard to remove if you have already booted the system. However to remove the MBR virus you would need to re-create the MBR of the system.

How to fix the MBR on Windows could be found below. Please follow the steps and let us know of the result.

How to use the Bootrec.exe tool in the Windows Recovery Environment to troubleshoot and repair startup issues in Windows

How to fix MBR in Windows XP and Vista

I hope that would help

Avatar of russgarrett


TDSSKiller seems to have fixed the boot sector. GMER did not detect it when i ran it.
However, during the GMER scan the pc gave a blue screen and then a memory dump as before.
what next if the boot sector virus is gone?
I would do a scan with MalwareBytes.

And do a complete scan with you up to date AVS
With both MalwareBytes and ComboFix, you must use the "Save As" (with Internet Explorer) function and save them as a different name.

You cannot download them and then rename them.

Another very solid program to use (no installation on your HDD) is HitManPro:
the virus' and or spyware seem to all be gone but the machine is very slow and processor utilization is high and memory is at 75%.
i cannot see what is using up so much of the processor time in Task Manager .
i am diabling all service and re booting to see what happens.

any other ideas?
Use Process Explorer to see what's using all the CPU time.
even with all processes disabled utilization is 75% to 100% and 35%. it bouces up and down.
it seems to be a process called TRUSTED INSTALLER PID WAS USING 75% at start up. After a few minutes it went away but it did just come up after installing 8 updates. but that was 15 minutes ago.

now service host.exe is using 12 to 15 % constantly and directly under that is WmiPrSE.exe.PID is 800.

this was from sysinternals process explorer.

what next?

Have you tried running ComboFix as suggested since eradicating the Boot infection?
the machine reboots when i try to bring it up in safe mode. it crashes while running GMER and COMBOFIX.

i just ran HITMAN PRO and I will run COMBOFIX again shortly.
Okay, keep us posted.
when running combofix it stops and says PEV.cfxxe has stopped working..

combofix has been running for 30 minutes and is only at stage 4. will wait to see what happens after a reboot.  at least it is not crashing now.
Is it progressing or has it been on stage 4 for 30 minutes?
it is progressing. it has shot to 41!
Hopefully it is doing it's job, please post the log for review when it finishes.
it is stuck at deleteing folders \\appdata\adobe\plugins for about 30 minutes. i will just give it more time.

it did delete 2 files prior to this.

Avatar of edbedb
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
it is now making the log
the file under ORPHANED FILES was a .exe file. if you google it you will find that is a virus. but should have been removed from previuos scans. combofix.txt
I see that bootkit is back.

I would give the Avira AntiVir Rescue System I suggested earlier a try. Then post any logs it creates.

I have to call it a day but will check back early AM.
so far after hitting alt f7 to get to the gui all i get is a black and what checkered screen with a mouse pointer in the middle that i can move around.
it does flash green across the top of the screen about one a minute.
i did choose the default option at boot up.
i will just let it run.
if the boot sector is infected again do you think TDSSKiller may work?
this is becoming futile.
burned another cd and it is working. hope the download i did has current updates on it.
checked boot sector and it had 5 warnings and i saved the short log.
running full scan and will check later
"if the boot sector is infected again do you think TDSSKiller may work?"

I am hoping this will take care of that and at the same time also remove whatever is causing it to keep coming back.
ran boot sector with action set to RENAME. it found 5 warnings.

ran full scan with action set to RENAME and it found 12 what seem to be JAVA virus' and 2 warnings. 1 of the warnings had to do with DOT NET 4.0 . SAme result when ran scan second time.

ran full scan set to CLEAN or REMOVE, i don't remember what it calls this action, and 13 virus were cleaned. The DOT NET 4.o warning says BAD COMPRESSED DATA on NETFX_CORE.MRR. Last 2 characters of extension may not be RR i cannot make out the characters.

i am running clean for the second time and so far no errors halfway through.

Should i run a boot sector CLEAN or REPAIR next or not?

i will then send you the logs if you like if i can before i have to leave. Scan is halfway done.
here are the logs. Wonder is i should run the DOT NET FIX utility and reinstall JAVA.

utilization is still high when booting in safe mode. rescue-system-scan.log rescue-system-scanBOOT-CLEAN.log rescue-system-scanCLEAN-2.log rescue-system-scanfull.log
i hope the file description is correct or obvious to you. forgot to look.
I am reviewing the logs now.

I would run a scan with TDSSKiller to see if it comes up clean.
It is automatically installing updates.  Then I will run TDSSkiller
Okay, if TDSSkiller comes out clean and the system is running as it should, you should be all set.
it came out clean so a little time will tell if it comes back maybe by tomorrow. it is still slow.

If Malwarebytes or combofix does not solve the problem i usually copy the data to a external drive and scan the data with another antivirus. Then re format the pc and load the programs and then the data. the pc is for sure fixed and runs faster. usually takes about 2 hours.

would you recommend if MalwareBytes, TDSSKiller or Combofix does not fix the problem to use the AVIRA rescue cd and if that does not work re format? but the AVIRA took an hour to run anyway.

Is AVIRA usually the best overall antivirus? i have used it before and it worked.i know there is no perfect antivirus.
To be honest, I have never used Avira but I will try that rescue CD in the future. I recommended it to you because it looked like it was just what you needed.

Re-formatting and re-installing the OS is at the very bottom of my list. It's been well over 10 years (Win 98) since I have done it. My system takes exactly 1 minute from the time I power it on to being fully started.

If you do it all the time and you don't think you spend the next few weeks stopping what you are doing to install software or updates that you erased by doing that, then it might be your best option.

However if you want to get your computer straightened out and maybe learn something on the way, I will be happy to help.
You never responded to my suggestions at http:#a34867214

It appears as though you may have some variant of "Total Antivirus 2009" - which a properly downloaded and updated MBAM scan will fix.

You ran ComboFix with your anti-virus "enabled", which can often lead to sporatic results.
avira rescue cd did the trick.

Nextime if MalwareBytes doe not work i feel like just running a rescue cd.