Re: Bizzarre pattern

From: Tom (nilreply_at_ntlworld.com)
Date: 08/12/04


Date: Thu, 12 Aug 2004 21:10:27 GMT

That's a very full response; thankyou.
Tom

"Chek" <chek_16@hootmail.com> wrote in message
news:OWgpaAKgEHA.3428@TK2MSFTNGP10.phx.gbl...
>
> I found this regarding the boot sector virus problem. A nuke 'em tactic
but
> effective, then boot from floppy or CD for your flavour of Windows.
>
> "You should take all your start-up and other disks to a different system
and
> scan them for viruses. Boot sector viruses spread by infecting the boot
> sectors of any floppy disks that are inserted into the system. Once you
have
> a known good start-up disk be sure to use the write protect tab on it Then
> in your systems bios turn off the virus protection. Many operating systems
> will not install correctly when it is on. Then with a clean start-up disk
> from the A: prompt type FDISK /MBR Then reboot and type FORMAT C: /S This
> should get rid of any boot sector viruses on the hard drive. As long as
you
> don't use an infected floppy disk you should be able to reload your
> operating system again. Was the system running XP before? "
> Yes.
>
> The evil .dll infections will usually show up in the R0- R3 section and
the
> exe files in the 04 section of a HiJack This log.
> Please note that the above is very general and should not be taken as a
> working guide. Check the tutorial for HJT, and Google any
> files that aren't recognisable (but beware - malware will sometimes give
> itself proper windows file names, but then you notice they 're in the
wrong
> folder (Explorer.exe in C:\Windows\sys32 instead of C:\Windows, for
> example).
>
> The malware and/or virus and trojan forums at:
> http://forums.spywareinfo.com
> http://www.bleepingcomputer.com/forums/index.php
> http://computercops.biz/
>
> Can give very good guidance.
>
> Hope this helps
> Chek
>
> --
> Change' boos' to 'bos' in address to email directly
> "Tom Milner-Gulland" <thomas.milner-gulland@ntlworld.com> wrote in message
> news:ypOSc.519$TQ3.255@newsfe6-gui.ntli.net...
> > How do I check for a boot sector virus? There doesn't seem to be the
> option
> > available in AVG, Norton etc.
> > I'll have to have another look at the symantec article, as I do not
> recall
> > reading about strange .dlls and registry changes. Are these revealed in
> > popup information?
> > Cheers,
> > Tom
> >
> >
> >
> > "Chek" <chek_16@hootmail.com> wrote in message
> > news:uiuBUX7fEHA.3192@tk2msftngp13.phx.gbl...
> > > Tom,
> > > What I meant was with the reinstated data back on the PC, and assuming
> all
> > > the virus scans seem clear,
> > > look for the secondary signs of infection (registry changes/strange
> .dll's
> > > etc) as detailed in
> > > the Symantec article, and as revealed by the other tools.
> > > After a re-format you should have cleared any previous problems.
> > > (boot sector checked too?)
> > >
> > > Chek
> > >
> > >
> > > --
> > > Change' boos' to 'bos' in address to email directly
> > > "Tom" <tmgulland@hotmail.com> wrote in message
> > > news:prpSc.366$Hw4.245@newsfe6-gui.ntli.net...
> > > > Thanks, Chek, but surely all my HDD reformatting should have seen to
> > these
> > > > kind of problems (I had already seen the Symantec page, BTW).
> > > > If there's a problem, it's embedded in my data.
> > > > Cheers,
> > > > Tom
> > > >
> > > >
> > > > "Chek" <chek_16@hootmail.com> wrote in message
> > > > news:uaCN$EyfEHA.3412@TK2MSFTNGP11.phx.gbl...
> > > > > Tom,
> > > > > Other than scanning, have you looked for other signs of infection
as
> > > > > detailed in:
> > > > >
> > http://securityresponse.symantec.com/avcenter/venc/data/w32.gibe@mm.html
> > > > >
> > > > >
> > > > > Next - See the information on this site:
> > > > > http://www.aumha.org/a/parasite.htm
> > > > > particularly the sections on the correct methods of running:
> > > > > CWShredder,
> > > > > Spybot Search&Destroy 1.3 and
> > > > > Ad Aware 6.
> > > > > Also read the section on using and interpreting
> > > > > HiJack This.
> > > > > NOTE: DO NOT use the fix option on 'HiJack This' without advice.
> > > > > Everything including necessary system files and settings are
> included
> > > > along
> > > > > with the bad stuff.
> > > > > Malware is very good at using 'windows-like' file names to
> complicate
> > > > > things further for the unwary.
> > > > >
> > > > > There are a large selection of other special tools available as
> well,
> > > > > (such as a trial download of Trojan Hunter3.9 from
> > > > > http://www.misec.net/trojanhunter/)
> > > > > but those first 4 programs are a good way to get started.
> > > > >
> > > > > Chek
> > > > >
> > > > > --
> > > > > Change' boos' to 'bos' in address to email directly
> > > > > "Tom" <tmgulland@hotmail.com> wrote in message
> > > > > news:tQaSc.2856$6m.2440@newsfe1-gui.ntli.net...
> > > > > > Strange that I have posted 4 to this group in the past week or
so
> > and,
> > > > > while
> > > > > > posts on either side of mine have got replies, none of mine
have.
> Do
> > > > mine
> > > > > > look suspicious or something?
> > > > > > Incidentally, I took the file that was shown, by one sole scan
> on
> > > > > > pandasoftware, to contain the Gibe B Worm, off the CD ROM and
> > (without
> > > > > > opening it) put it on my desktop, then ran the pandasoftware
scan
> > and,
> > > > yet
> > > > > > again, mysteriously it didn't turn up anything. Was it just that
I
> > had
> > > > > > opened the file the first time, when the virus was shown to be
> > > infected
> > > > 6
> > > > > > files, that had prompted the scan to find the virus? Was it a
> freak
> > > > error
> > > > > or
> > > > > > a freak success? How ought I proceed?
> > > > > > Thanks,
> > > > > > Tom
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>



Relevant Pages

  • Re: Bizzarre pattern
    ... I found this regarding the boot sector virus problem. ... then boot from floppy or CD for your flavour of Windows. ... Then with a clean start-up disk ...
    (microsoft.public.security.virus)
  • Re: intelligent disassembly
    ... The floppy was prepared by filling it entirely with 0's ... before writing the program to the boot sector. ... The routine wout is also from ...
    (comp.os.msdos.programmer)
  • Re: intelligent disassembly
    ... to write from memory to the floppy. ... I wrote a boot sector program to copy all of the upper memory area to ... My boot sector program copies the upper memory area ... mov ax,#0xa000 ...
    (comp.os.msdos.programmer)
  • Re: Floppy boot sector problem
    ... On Wed, 05 Apr 2006 17:55:24 GMT, Mark Glassberg ... a floppy drive is unavailable. ... It is possible that CheckIt PE looks for a floppy drive and will not ... file system with a unique boot sector. ...
    (comp.os.msdos.misc)
  • Re: What good is root=/dev/xxx?
    ... # the default of FLOPPY is used by 'build'. ... which used to be a boot sector allowing the kernel image ... specify the root device. ... file or a floppy with a raw copy of the kernel image. ...
    (comp.os.linux.development.system)