Link to home
Create AccountLog in
Avatar of cmhtech tech
cmhtech techFlag for United States of America

asked on

Possible Boot sector Virus?

Specs:
Gateway NV53A
AMD Turion II X2 P540
500GB Sata HDD
4GB DDR3 Memory
All updates and Service Packs installed
Microsoft Security Essentials AV

Machine BSoD's shortly after login in with stop 0x000001E. It will run in safe mode unless I try to run ComboFix. MiniDmp analysis said Ntoskrnl.exe was the issue (what help that was).

Diagnostics ran so far:
Tested Hard Drive with BIOS tester, HDAT2 and MHDD 4.5 all showed fine
Tested memory with built in BIOS tester, and Memtest. Passed. Also installed new DDR3 memory I had laying around but that didn't help.
Ran Virus Scan using Malwarebytes - Failed had over 20 trojans on machine
Ran Verifier.exe to make sure all drivers were good.


I attempted to disinfect machine using Malware bytes, Super anti-spyware, trojan remover and Avira but it always showed 2-3 trojans on there. Tried to run ComboFix but it always blue screened while running it.

I went ahead and reinstalled the OS from scratch without nuking the drive(Left the Restore and Diagnostic Partitions and just overwrote the Primary Partition) and it ran good for about 3 days then the same BSoD occurred and it is showing the same 2-3 Trojans that I can't get rid of. I am beginning to think it is a Boot Sector virus but I wanted some opinions before I run "kill disk" and completely re-write the HDD.

Thanks for the help in advance
ASKER CERTIFIED SOLUTION
Avatar of Tony Giangreco
Tony Giangreco
Flag of United States of America image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of cmhtech tech

ASKER

I will try the rougue Killer and TDS Killer tonight.  I have done Malware bytes and Super Antispyware about 3 times each but with no luck.  It keeps finding them but then never actually gets rid of it.  ComboFix was always my go to tool but it blue screens every time between steps 3 and 5.  I will also run the SFC /scannow as well.  The viruses just show up as trojan/hijacker Process: svchost so I don't get much info there.
Avatar of Kent Dyer
Boot Sector Virus also is also known as a RootKit..  See that you have obtained some good information to lead you forward on this issue.

Thanks,

Kent
I think Rogue Killer may have got it. After I ran it and TDS Killer I could successfully run Combo Fix without a blue screen.  I ran Combo Fix once and it also found the SVCHost.exe and deleted it.  I rebooted and ran Malware Bytes, Rogue Killer, ComboFix and Super AntiSpyware and they all came up clean.
 I will do one more run when I get off work tonight to make sure.  I was just shocked this rootkit survived the partition format.  Thanks for the help on this I will award points later tonight after my final scans.
Glad I could help. Rogue Killer is a great utility to use before anything else.
I would also check any USB drives or other media you might have been booting from. It might have transfered to it.
Glad that you have had success.  Please keep us informed.  Have you read the article below - it's a good one:

https://www.experts-exchange.com/Software/Internet_Email/Anti_Spyware/A_6650-Malware-Fighting-Best-Practices.html

Also in the future I highly suggest creating a disk with SARDU.  You can put anything and everything on it, so if you run into a problem again you will have a solution.  See my article:

https://www.experts-exchange.com/Storage/Misc/A_3038-Boot-Disks-UBCD-UBCD4Win-and-SARDU.html

Note that I put a bunch of commercial and extra utilities on it as well so I will have them handy.

DISCLAIMER: I am not affiliated in any way with the software mentioned in this post or in my articles.
TG-TIS - The thing is it's not my computer so I may not be able to check all the customers USB Disks.  But I will certainly try...especially if it gets infected again.

Tzucker - That was a great read on the Malware Best Practices.  I have fought tons of malware and viruses but learned a lot from fighting this Virus and reading that article so I will be way more prepared in the future.  And I think I may replace my Customized UBCD disk with SARDU shortly because it looks a lot more functional.

Thanks again for all your help guys.  Final tests will be later tonight.
Seems to be fixed.  Ran all night without a BSoD.  Thanks for all your help!