Boot virus on xp

[Vidar Holum]

Hello
Trying to help a friend with boot virus on her pc.
She works on a book project and have no backup, tuff lady.

The pc starts and goes directly to secure modus screen.
Starts a countdown (30 sek) for restart on a line at the bottom of the
screen.
No of the alternativs work like secure boot with net or cd etc.
or restart on a former version of xp.

No gray win dialogbox like blaster(was it)

Then it trys to boot, the first xp startup window coms for a minute,
then a bluescreen 3 sec. not readable.
then it starts all over again.

Tried to boot from norton 2002, scan for filws work in dos from c:/
I can see that files on pc is there. But it fix noting

I have tried star and rep from win xp cd to start an older version of
xp but that dos not bwork.

An what help can you get from Norton even if I have a bunch of pc's
running on Norton.

Any tip pleace

Vidar Holum
(e-mail address removed)

 

[Vidar Holum]

From a tip on other channels did i start it un on a win me recue
diskett.
I did get access to c:\ and chkdsk or change direktory commands.

There is still som dos here.

Any tip to start win xp from here?

Or find corrupt fils or do a virusscan


Vidar

 

[sh4d03]

If it is at all possible try taking the hard drive out of her computer
and put into another NTFS (important) computer and see if the computer
picks it up. At least then you can do a backup of her data.
Additionally, upon adding the hard drive to another computer, Windows
will automatically check things over with it. If the computer suddenly
doesn't boot with her hard drive in then I'd be looking at hard drive
prices.
sh4d03

 

[Vidar Holum]

Thank you.
Did find a nice small antivirussoftware that worked from dos.

Did install from diskett.
http://www1.vobis.de/bbs/firmen/hshl/service/

Name: aedos. Did find no virus.

Fant ikke virus så det er trolig som dere sier korrupt bootsektor.

Trying to run reinstallconcoll on xp cd. but do not have
administrator password.

What does win use as default, admin or administrator does not work.

Vidar

 

[Wim Hamhuis]

Standard procedure for getting rid of a boot virus :

create a bootable systemdisk. You can find on the internet how to do this
for your operating system. Set the writeprotected tab to write protect on
your floppy after creating it.

Insert the write protected floppy systemdisk to cleanboot your computer, and
make sure 1st boot device in your BIOS is set to Floppy.

then use the SYS command to replace your bootsector on the harddisk.

remove the floppy and reset your computer after the SYS command transferred
the system.

The computer should boot without bootsectorvirus now, and antivirusprograms
should be able to remove the remains of the virus.

Wim

 

[FromTheRafters]

Standard procedure for getting rid of a boot virus :

create a bootable systemdisk. You can find on the internet how to do this
for your operating system. Set the writeprotected tab to write protect on
your floppy after creating it.

Insert the write protected floppy systemdisk to cleanboot your computer, and
make sure 1st boot device in your BIOS is set to Floppy.

then use the SYS command to replace your bootsector on the harddisk.

The "SYS" command transfers system files, not the bootsector.

IO.SYS
MSDOS.SYS
COMMAND.COM

(for non NT versions, probably not even the same as XP uses)

....and bootsector viruses don't generally infect files anyway.

The bootsector is program code (and data) located at a physical
location on the media (sector), and not a filesystem entity.

remove the floppy and reset your computer after the SYS command transferred
the system.

The computer should boot without bootsectorvirus now,

This method does nothing to the bootsector, and if one *does*
do something to the bootsector (fdisk/mumble) then the virus
victim may well lose more than he gains in the attempt.

and antivirusprograms
should be able to remove the remains of the virus.

Best is to identify the particular malware, and follow the advised
procedure for removal of that malware.

Do bootsector viruses actually work on XP?

 

[Nemo S.]

Do bootsector viruses actually work on XP?

Why would'nt they, all disk have a primary boot sector, of course IF
the drive geometry was one way you would'nt have that problem and IF
the drive geometry was NON corruptable held in a NON volital manner
you could eliminate boot sector viruses completely, this would
decrease the size of AV .dat files and increase the security to the
drive itself of course when I metioned that 20 years ago it did'nt
come to pass then either ...

~Nemo~

 

[Wim Hamhuis]

Why would'nt they, all disk have a primary boot sector, of course IF
the drive geometry was one way you would'nt have that problem and IF
the drive geometry was NON corruptable held in a NON volital manner
you could eliminate boot sector viruses completely, this would
decrease the size of AV .dat files and increase the security to the
drive itself of course when I metioned that 20 years ago it did'nt
come to pass then either ...

~Nemo~

it can be done with

fdisk /MBR

but make sure you have a backup of your valuable data.

m.v.g.
Wim

 

[FromTheRafters]

Why would'nt they, all disk have a primary boot sector, of course IF
the drive geometry was one way you would'nt have that problem and IF
the drive geometry was NON corruptable held in a NON volital manner
you could eliminate boot sector viruses completely, this would
decrease the size of AV .dat files and increase the security to the
drive itself of course when I metioned that 20 years ago it did'nt
come to pass then either ...

If a bootsector virus' code in memory is completely overwritten by
the operating system when it takes over, it cannot be resident and
affect other bootsectors. If it cannot replicate recursively, it is not
a working (viable) virus. I thought that I had heard somewhere that
the most a bootsector virus could do on such OSes is to corrupt the
boot sector.

I find myself misremembering things lately, so I asked.

 

[FromTheRafters]

it can be done with

fdisk /MBR

but make sure you have a backup of your valuable data.

....and make sure the particular virus you are dealing with doesn't
encrypt the partition table or files. Backing up files encrypted by
an encrypting bootsector virus - and then ridding yourself of the
virus (and hence the ability to decrypt the files) is not a good idea.

It would be best to identify the virus an deal with it accordingly.

 

[kmesse]

CAUTION.
http://www.cknow.com/vtutor/vtfdiskmbr.htm

 

[Zvi Netiv]

Standard procedure for getting rid of a boot virus :

create a bootable systemdisk. You can find on the internet how to do this
for your operating system. Set the writeprotected tab to write protect on
your floppy after creating it.

Insert the write protected floppy systemdisk to cleanboot your computer, and
make sure 1st boot device in your BIOS is set to Floppy.

then use the SYS command to replace your bootsector on the harddisk.

Bad advice!

SYS [d1:] [d2:] is an external DOS command used to transfer DOS system files
from the source drive [d1] to the destination drive [d2]. SYS also rewrites the
OS bootstrap portion of the DOS boot sector, not to confuse with the MBR loader!

The SYS command should only be exerted on FAT / FAT32 drives, that run under DOS
or Windows 95 / 98 / ME, and *always with system files of exactly the same OS
that is installed on the drive*.

Some explanation about the role of the boot sector, before we go any further:
The active partition boot sector (which is what is affected by the SYS command)
contains data known as the BPB (boot parameters block) that tells the OS about
the type of the partition (FAT / FAT32 / NTFS) and the geometry of that
partition (cluster size, size of the FAT, location of the root, etc.), and the
OS loader. An important role of the boot loader (the small program that resides
in the BS), is to start loading the operating system. This is done by pointing
the computer to the OS loader and start executing it: That file is IO.SYS to
load DOS or Win 9x/ME, and NTLDR for NT / W2K and XP.

Now, here is why the above advice is bad. If XP was installed on FAT-32, which
is often the case, or XP was installed after Win 9x / ME to obtain a dual boot
configuration (like the computer I am working on right now), then running SYS C:
(or SYS A: C will overwrite the active partition boot sector with a DOS loader
and you will lose your boot ability to XP!

remove the floppy and reset your computer after the SYS command transferred
the system.

The computer should boot without bootsectorvirus now, and antivirusprograms
should be able to remove the remains of the virus.

The computer will not boot at all! As to the original poster, IMEO, the
computer has no boot virus at all, just a messed up infection by Sasser!

Regards, Zvi

 

[Zvi Netiv]

The "SYS" command transfers system files, not the bootsector.

The SYS command does overwrite the OS loader program in the boot sector (and
leaves the BPB intact), just as FDISK /MBR overwrites the partition loader in
the MBR.

Do bootsector viruses actually work on XP?

XP being derived from NT doesn't allow direct drive access, which excludes boot
infectors from installing themselves while XP is running. Yet it is possible to
affect an XP hard drive MBR, or boot sector, by leaving an infected floppy in
the drive and attempting to boot from. This has nothing to do with XP but with
hardware being i386 compatible (the infection occurs before the OS starts
loading).

If XP can start with the virus code in the MBR (this will be the case with most
infectors that do not modify the partition table data in the MBR, such as
AntiEXE, NYB and others), the virus will not be active from the moment XP
loaded, i.e. it will not infect floppies inserted in the drive.

Some boot infectors, especially those that affect the hd's boot sector rather
than the MBR, and MBR infectors that modify the partition table, will prevent XP
from loading (the computer will hang during the startup process).

Boot viruses should always be removed by generic means, especially from the
newer platforms. Such means are available on page
www.invircible.com/iv_tools.php

The explained above applies not only to XP but to NT and W2K as well.

Regards, Zvi

 

[James Egan]

then running SYS C:
(or SYS A: C will overwrite the active partition boot sector with a DOS loader
and you will lose your boot ability to XP!

If it's already been done, is there an easy way to re-write to xp
loading code?


Jim.

 

[FromTheRafters]

The SYS command does overwrite the OS loader program in the boot sector (and
leaves the BPB intact), just as FDISK /MBR overwrites the partition loader in
the MBR.

So neither is recommended for removing boot viruses?

XP being derived from NT doesn't allow direct drive access, which excludes boot
infectors from installing themselves while XP is running. Yet it is possible to
affect an XP hard drive MBR, or boot sector, by leaving an infected floppy in
the drive and attempting to boot from. This has nothing to do with XP but with
hardware being i386 compatible (the infection occurs before the OS starts
loading).

If XP can start with the virus code in the MBR (this will be the case with most
infectors that do not modify the partition table data in the MBR, such as
AntiEXE, NYB and others), the virus will not be active from the moment XP
loaded, i.e. it will not infect floppies inserted in the drive.

Some boot infectors, especially those that affect the hd's boot sector rather
than the MBR, and MBR infectors that modify the partition table, will prevent XP
from loading (the computer will hang during the startup process).

Boot viruses should always be removed by generic means, especially from the
newer platforms. Such means are available on page
www.invircible.com/iv_tools.php

The explained above applies not only to XP but to NT and W2K as well.

Thanks for answering, Zvi.

 

[Zvi Netiv]

So neither is recommended for removing boot viruses?

I wouldn't entirely exclude FDISK and SYS, especially not FDISK, from the list
of available tools for repairing boot virus damage. After all, their respective
action on the boot sector or MBR is implemented in FIXBOOT and FIXMBR, two tools
used as part of the repair console of the newer OS.

The rule is that you should know what you are doing.

Regards, Zvi

 

[Zvi Netiv]

If it's already been done, is there an easy way to re-write to xp
loading code?

It depends on the specific case. If all that was done was running SYS C:, and
nothing else was changed (C:\Ntldr, C:\Ntdetect.com, C:\Boot.ini, and the MBR
are all intact), then a simple FIXBOOT command from the XP repair console should
do the trick.

Other cases may require specialized tools, like RESQDISK.

Regards, Zvi

 

[Jason Wade]

[ snippedy do-dah ]

The SYS command should only be exerted on FAT / FAT32 drives, that run
under DOS or Windows 95 / 98 / ME, and *always with system files of
exactly the same OS that is installed on the drive*.
[ chomp ]

Winxp has an option to create an MSDOS startup disk. Can the
sys command on that disk be used safely on a winxp ntfs
partition?

 

[Zvi Netiv]

[ snippedy do-dah ]

The SYS command should only be exerted on FAT / FAT32 drives, that run
under DOS or Windows 95 / 98 / ME, and *always with system files of
exactly the same OS that is installed on the drive*.
[ chomp ]

Winxp has an option to create an MSDOS startup disk. Can the
sys command on that disk be used safely on a winxp ntfs
partition?

If you prepared such disk then you would know that there is no SYS.COM file on
that disk and hence no SYS command.

Besides, an NTFS partition is not accessible from DOS boot and the command SYS
would fail doing anything, even if you managed to have SYS.COM on the floppy.

If curious, then the DOS version that XP installs on the MS-DOS boot floppy is
Millennium. You can tell by typing VER and Enter when booted of that floppy.

Regards, Zvi

 

[Wim Hamhuis]

CAUTION.
http://www.cknow.com/vtutor/vtfdiskmbr.htm

"Wim Hamhuis" <[email protected]> wrote

I told "have a backup of your valuable data" when you are NOT INFECTED. Just
to make sure when something goes wrong, you can always retrieve your
complete harddiskbackup. If done correctly you have a complete
harddiskbackup before the virus was present. MAKE SURE YOU HAVE ACCESS ON A
FLOPPY TO RETRIEVE YOUR complete hard disk BACKUP, WITH WRITE PROTECTED
FLOPPY DISKS. Test if your created backup works.

So if your warning is correct, FDISK /MBR ONLY WORKS WITH THE "old"
JERUSALEM virus and the ping pong virus, which ONLY replaces the bootsector
with itself. I used the command in msdos 6.22 and got rid of the "ping pong"
virus. The command is undocumented, so caution is indeed a right thing.

By the way if the complicated computervirus did a lot of damage and it's in
need to be repaired fast, it's much better to turn the computer off, leaving
it off and disconnect the bios battery. Don't make a backup when you
discover a virus. The virus will be on your backup too.
Then connect te battery again,
standard bios (default) WILL BE LOADED FROM ROM. Some virusses infect or try
to "flash" the bios. When this happens, disconnect the bios backup battery.
When you do, connecting the battery again will cause a standard program into
ROM loaded into your BIOS by default. If there are still weird characters on
your computerscreen [after this procedure], the display adapter is
malfunctioning.
use the fdisk command without mbr (it's an option, undocumented as it is
true and i'm not here to destroy anotherone's computer)
and delete the harddisk with all partitions.
Then reformat the harddisk, and retrieve your complete harddisk backup.

Your computer then should be computervirus free again. If your time to
retrieve a new backup is too long, it SOMETIMES could help to simply buy a
new computer to install your LEGAL software to it ;-))

It's a way to remove a virus when it has done too much damage and couldn't
be repaired anymore. Some computervirusses does do a lot of damage for
instance what was called here, encryption/decryption of critical data. It
takes a lot of research to repair the damage succesfully with such heavy
computer virusses.

But it's a challenge worth taking, because we computervirus cleaners make
the lives of many people a lot easier.

w.f.g
Wim Hamhuis