MBR virus

[Guest]

Hi there:
My other computer seems to have a MBR virus. I have searched the MS KB for
help in getting rid of it, but all it says is what NOT to use to get rid of
it ( XP resource kit, chapter 27, MBR viruses).
Any help in how to get rid of it?
Thanks
John

 

[Carey Frisch [MVP]]

Please consult the experts in the virus removal newsgroup:
news://msnews.microsoft.com/microsoft.public.security.virus

Symantec Security Check
http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym&plfid=23&pkj=YVXRORVWHFHMFNZMBBX

Antivirus software: Frequently asked questions
http://www.microsoft.com/athome/security/protect/antivirus.mspx

3 Simple Steps to Help Ensure the Protection of Your PC
http://www.microsoft.com/athom­e/security/protect/default.msp­x

--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User
Microsoft Newsgroups

Get Windows XP Service Pack 2 with Advanced Security Technologies:
http://www.microsoft.com/athome/security/protect/windowsxp/choose.mspx

-------------------------------------------------------------------------------------------

:

| Hi there:
| My other computer seems to have a MBR virus. I have searched the MS KB for
| help in getting rid of it, but all it says is what NOT to use to get rid of
| it ( XP resource kit, chapter 27, MBR viruses).
| Any help in how to get rid of it?
| Thanks
| John

 

[Malke]

Hi there:
My other computer seems to have a MBR virus. I have searched the MS KB
for help in getting rid of it, but all it says is what NOT to use to
get rid of it ( XP resource kit, chapter 27, MBR viruses).
Any help in how to get rid of it?
Thanks
John

How do you know you have an MBR virus? What are the symptoms and the
exact text of any error messages you are getting?

Malke

 

[Guest]

Hi Malke.
I reformatted the HD, installed XP Home, attached to the internet, and IE
opened automatically everytime I booted up, going to a non-MS site.
I reformatted, reinstalled another few times, and still have issues like a
dos-like window opending up automatically, warning-like notices telling me to
go to non-MS sites to download security software, etc.
My antivirus software detects a virus that it can not rename, delete or
disinfects, even after reformatting again, etc.
John

 

[Malke]

Hi Malke.
I reformatted the HD, installed XP Home, attached to the internet, and
IE opened automatically everytime I booted up, going to a non-MS site.
I reformatted, reinstalled another few times, and still have issues
like a dos-like window opending up automatically, warning-like notices
telling me to go to non-MS sites to download security software, etc.
My antivirus software detects a virus that it can not rename, delete
or disinfects, even after reformatting again, etc.
John

OK, when you say "reformatted", you mean you actually booted with the XP
cd, deleted the partition, created a new partition, and then
clean-installed XP? Did you connect to the internet before putting a
firewall and antivirus in place?

What is the name of the virus that your antivirus detects? What av
program are you using - name, version, and if your definitions are
current.

Malke

 

[Kerry Brown]

Hi Malke.
I reformatted the HD, installed XP Home, attached to the internet, and IE
opened automatically everytime I booted up, going to a non-MS site.
I reformatted, reinstalled another few times, and still have issues like a
dos-like window opending up automatically, warning-like notices telling me
to
go to non-MS sites to download security software, etc.
My antivirus software detects a virus that it can not rename, delete or
disinfects, even after reformatting again, etc.
John

Does your version of XP has SP2. If not do not connect to the Internet until
you have SP2 or a firewall installed. You will be infected in minutes,
possibly seconds. It sounds like you don't have SP2 as the warning messages
you describe are probably sent through the Windows Messenger service. Note:
this is different from the Windows Messenger program and not related. SP2
turne off this service by default.

Download SP2 from here:

http://www.microsoft.com/downloads/...be-3b8e-4f30-8245-9e368d3cdb5a&DisplayLang=en

Burn it to CD. Reinstall Windows again making sure you are not connected to
the Internet. If you are using broadband disconnect the ethernet cable or
USB cable. Make sure you delete, then recreate the partition you want to
install Windows on. Once Windows is installed immediately install SP2 or a
firewall. Once SP2 or a firewall is installed you can finish installing
drivers, connect to the Internet, install Windows updates, etc.

Kerry

 

[David H. Lipman]

From: "JohnnyJomp" <[email protected]>

| Hi Malke.
| I reformatted the HD, installed XP Home, attached to the internet, and IE
| opened automatically everytime I booted up, going to a non-MS site.
| I reformatted, reinstalled another few times, and still have issues like a
| dos-like window opending up automatically, warning-like notices telling me to
| go to non-MS sites to download security software, etc.
| My antivirus software detects a virus that it can not rename, delete or
| disinfects, even after reformatting again, etc.
| John

Your symptoms are not that of a Boot Sector Infector.

You did state "My antivirus software detects a virus..." but you did not tell us the AV
application nor provide us with the fully qualified path and name of the infected file or
the name of the virus that file is infected with. It is more than difficult to provide help
with so little information.

Just to be sure, you can use the IVINIT utility at Invircible which handles boot sector
infectors.
http://www.invircible.com/iv_tools.php#Ivinit

You can also use the Multy vendor AV scanner utility for other types of viruses.


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } three batch files, five Kixtart scripts, one Link
(.LNK) file, this PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
simplify the process of using; Sophos, Trend and McAfee Anti Virus Command Line Scanners to
remove
viruses and various other malware.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode. This
way all the components can be downloaded from each AV vendor’s web site.
The choices are; Sophos, Trend, McAfee, Exit the menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE and/or FTP.EXE to go
through your FireWall to allow them to download the needed AV vendor related files.

* * * Please report back your results * * *

 

[Guest]

Hi all...
I gave up on fixing the problem. I installed a new hard drive, reformatted
it, did a clean install, and all is well.
When I have a moment (now I have a problem with my own computer!), I will
certainly try all the suggestions here.
Thanks again; you guys rock!
John

From: "JohnnyJomp" <[email protected]>

| Hi Malke.
| I reformatted the HD, installed XP Home, attached to the internet, and IE
| opened automatically everytime I booted up, going to a non-MS site.
| I reformatted, reinstalled another few times, and still have issues like a
| dos-like window opending up automatically, warning-like notices telling me to
| go to non-MS sites to download security software, etc.
| My antivirus software detects a virus that it can not rename, delete or
| disinfects, even after reformatting again, etc.
| John

Your symptoms are not that of a Boot Sector Infector.

You did state "My antivirus software detects a virus..." but you did not tell us the AV
application nor provide us with the fully qualified path and name of the infected file or
the name of the virus that file is infected with. It is more than difficult to provide help
with so little information.

Just to be sure, you can use the IVINIT utility at Invircible which handles boot sector
infectors.
http://www.invircible.com/iv_tools.php#Ivinit

You can also use the Multy vendor AV scanner utility for other types of viruses.


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } three batch files, five Kixtart scripts, one Link
(.LNK) file, this PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
simplify the process of using; Sophos, Trend and McAfee Anti Virus Command Line Scanners to
remove
viruses and various other malware.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode. This
way all the components can be downloaded from each AV vendor’s web site.
The choices are; Sophos, Trend, McAfee, Exit the menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE and/or FTP.EXE to go
through your FireWall to allow them to download the needed AV vendor related files.

* * * Please report back your results * * *