Boot virus & root kit?

[JM]

Hello,
I contacted you last week concerning a boot virus and you directed me to"
drive scrubber"(nice product)
problem is that even with a 7 hr complete wipe, I still have the virus.I
have unpluged my machine and removed the battery and all memory overnight
and cleared the cmos
when i reinstall windows xp (any version)on this HDD the same thing happens
........For about five minuites after connecting to the net everything is
fine .. then all of a sudden i cannot connect (even though my connection is
showing active) i tried to scan with various online scanners but it wont let
me download them giving me various error messages ..I have even tried
loading full virus protection from a cd (norton internet security 2006)but
it stopped the live update process.... same with trend micro, this virus is
STEALTH and after about 20 min the pc basically locks up. and cpu is
overworking . also you cannot set the drive as slave and scan because the
virus will infect the master drive (already happened )I took my pc to
another repair technician and he didn't want to hook it up to his.( He has
no idea either) I did some research and i believe i have a root kit virus ..
there is a program on the net called "ICESWORD" that detects rootkit virus
but i do not know how to use the program and it has no instructions with it
..Its found on the sysinternals site.If anyone has any info on this type of
virus and how to remove it please contact me in this form .. i have 2 HDD
down and a 6 gig travel drive that i cannot use
after a week im running out of ideas nothing shows up in Hyjack this .
cannot download virus software in safe mode with networking & scanners will
not work in safemode either
Please help
JM
PC technician

 

[Richard Urban]

A root kit will NOT survive a partition delete/create/format/install
routine.

And, I have not seen a boot sector virus for over 10 years (doesn't mean
that a new one has not been released).

Sacrifice your system and start completely fresh.

--
Regards,

Richard Urban
Microsoft MVP Windows Shell/User
(For email, remove the obvious from my address)

Quote from George Ankner:
If you knew as much as you think you know,
You would realize that you don't know what you thought you knew!

 

[Jonny]

Hello,
I contacted you last week concerning a boot virus and you directed me to"
drive scrubber"(nice product)
problem is that even with a 7 hr complete wipe, I still have the virus.I
have unpluged my machine and removed the battery and all memory overnight
and cleared the cmos
when i reinstall windows xp (any version)on this HDD the same thing
happens .......For about five minuites after connecting to the net
everything is fine .. then all of a sudden i cannot connect (even though
my connection is showing active) i tried to scan with various online
scanners but it wont let me download them giving me various error messages
..I have even tried loading full virus protection from a cd (norton
internet security 2006)but it stopped the live update process.... same
with trend micro, this virus is STEALTH and after about 20 min the pc
basically locks up. and cpu is overworking . also you cannot set the drive
as slave and scan because the virus will infect the master drive (already
happened )I took my pc to another repair technician and he didn't want to
hook it up to his.( He has no idea either) I did some research and i
believe i have a root kit virus .. there is a program on the net called
"ICESWORD" that detects rootkit virus but i do not know how to use the
program and it has no instructions with it .Its found on the sysinternals
site.If anyone has any info on this type of virus and how to remove it
please contact me in this form .. i have 2 HDD down and a 6 gig travel
drive that i cannot use
after a week im running out of ideas nothing shows up in Hyjack this .
cannot download virus software in safe mode with networking & scanners
will not work in safemode either
Please help
JM
PC technician

I see no basis in your post to describe what you have as a boot virus. What
is your basis for this assumption?

 

[Kerry Brown]

Overwrite track 0 on ALL drives installed in the computer. Disconnect any
external drives. Physically disconnect the computer from any networks
including the Internet. Install Windows XP with SP2. If you don't have XP
with SP2 then make a slipstreamed disk or install some firewall software
before connecting to any networks. I can't say this strongly enough - the
computer must be physically disconnected from any networks during the
install and stay disconnected until you have a firewall in place. This is
the most likely reason for your continuing reinfection. Pre SP2 computers
can be infected with a worm during the install if they are connected to a
network with an infected computer on it. You are being reinfected either
from the Internet or another infected computer on your network. Once you
have a firewall installed, install an anti-virus program. Connect to the
Internet, update the antivirus and Windows before installing any more
programs. Once you have the antivirus and Windows up to date it is OK to
reconnect external drives and scan them with at least two different
antivirus products. David Lipman's tool is a good one to use. Use all four
tools on all external drives before running any programs on them.

http://www.ik-cs.com/programs/virtools/Multi_AV.exe

The only other thing I can think of is your installation media. Is is an
original CD from Microsoft or your computer manufacturer? If it is a burned
CD (i.e. slipstreamed) and it was created on an infected computer this may
be the problem. If it is from a recovery partition this may also be
infected. Although I have never heard of this it would certainly be
possible.

 

[David H. Lipman]

From: "JM" <artmoore(at)nbnet.nb.ca>

| Hello,
| I contacted you last week concerning a boot virus and you directed me to"
| drive scrubber"(nice product)
| problem is that even with a 7 hr complete wipe, I still have the virus.I
| have unpluged my machine and removed the battery and all memory overnight
| and cleared the cmos
| when i reinstall windows xp (any version)on this HDD the same thing happens
| .......For about five minuites after connecting to the net everything is
| fine .. then all of a sudden i cannot connect (even though my connection is
| showing active) i tried to scan with various online scanners but it wont let
| me download them giving me various error messages ..I have even tried
| loading full virus protection from a cd (norton internet security 2006)but
| it stopped the live update process.... same with trend micro, this virus is
| STEALTH and after about 20 min the pc basically locks up. and cpu is
| overworking . also you cannot set the drive as slave and scan because the
| virus will infect the master drive (already happened )I took my pc to
| another repair technician and he didn't want to hook it up to his.( He has
| no idea either) I did some research and i believe i have a root kit virus ..
| there is a program on the net called "ICESWORD" that detects rootkit virus
| but i do not know how to use the program and it has no instructions with it
| .Its found on the sysinternals site.If anyone has any info on this type of
| virus and how to remove it please contact me in this form .. i have 2 HDD
| down and a 6 gig travel drive that i cannot use
| after a week im running out of ideas nothing shows up in Hyjack this .
| cannot download virus software in safe mode with networking & scanners will
| not work in safemode either
| Please help
| JM
| PC technician
|


If you think you have malware, there are anti virus News Groups specifically for this type
of discussion.

microsoft.public.security.virus
alt.comp.virus
alt.comp.anti-virus

However, I agree with Richard Urban and I mirror his sentiments.

 

[Jim]

Hello,
I contacted you last week concerning a boot virus and you directed me to"
drive scrubber"(nice product)
problem is that even with a 7 hr complete wipe, I still have the virus.I
have unpluged my machine and removed the battery and all memory overnight
and cleared the cmos
when i reinstall windows xp (any version)on this HDD the same thing
happens .......For about five minuites after connecting to the net
everything is fine .. then all of a sudden i cannot connect (even though
my connection is showing active) i tried to scan with various online
scanners but it wont let me download them giving me various error messages
..I have even tried loading full virus protection from a cd (norton
internet security 2006)but it stopped the live update process.... same
with trend micro, this virus is STEALTH and after about 20 min the pc
basically locks up. and cpu is overworking . also you cannot set the drive
as slave and scan because the virus will infect the master drive (already
happened )I took my pc to another repair technician and he didn't want to
hook it up to his.( He has no idea either) I did some research and i
believe i have a root kit virus .. there is a program on the net called
"ICESWORD" that detects rootkit virus but i do not know how to use the
program and it has no instructions with it .Its found on the sysinternals
site.If anyone has any info on this type of virus and how to remove it
please contact me in this form .. i have 2 HDD down and a 6 gig travel
drive that i cannot use
after a week im running out of ideas nothing shows up in Hyjack this .
cannot download virus software in safe mode with networking & scanners
will not work in safemode either
Please help
JM
PC technician

If I understand your post correctly, you connected your computer to the
internet before loading any kind of AV software.

If that is the case, then your computer gets infected before it has any
chance at protection.

Start all over once again, and this time, do not connect the computer to the
internet until after you have an AV product installed.
Jim

 

[Alias~-]

If I understand your post correctly, you connected your computer to the
internet before loading any kind of AV software.

If that is the case, then your computer gets infected before it has any
chance at protection.

Start all over once again, and this time, do not connect the computer to the
internet until after you have an AV product installed.
Jim

And a firewall.

Alias

 

[David H. Lipman]

From: "Alias~-" <[email protected]>


| And a firewall.
|
| Alias

Exactly !
Even a NAT Router will afford greater protection.

 

[Kerry Brown]

A NAT router will protect you from the Internet. I recently saw a case where
another computer behind the router was reinfecting a pc when installing XP
without SP2.

 

[David H. Lipman]

From: "Kerry Brown" <[email protected]*a*m>

| A NAT router will protect you from the Internet. I recently saw a case where
| another computer behind the router was reinfecting a pc when installing XP
| without SP2.
|

I can't agree with you more on that point.

When the Lovsan/Blaster and the Subsequent Sasser worms came out that was bad enough.
However, there are now *MANY* BOTs that exploit RPC/RPCSS DCOM via TCP port 135 and the
LSASS module via TCP port 445 and then multiple the number of different BOTs by the shear
number of variants of each type of BOT. Additionally, the BOTs will use additional
explotatyions as new vulnerabilities come to light and get incorporated into the BOT family.

 

[cquirke (MVP Windows shell/user)]

On Sun, 17 Sep 2006 07:58:20 -0300, "JM"

I contacted you last week concerning a boot virus and you directed me to"
drive scrubber"(nice product) problem is that even with a 7 hr complete
wipe, I still have the virus.
OK...

I have unpluged my machine and removed the battery and all memory
overnight and cleared the cmos
OK...

when i reinstall windows xp (any version)on this HDD the same thing happens
.......For about five minuites after connecting to the net everything is
fine .. then all of a sudden i cannot connect (even though my connection is
showing active) i tried to scan with various online scanners but it wont let
me download them giving me various error messages ..

OK (rest of "I try to kill it while it's watching and it won't let
me" - i.e. online and Windows-based av - snipped)

this virus is STEALTH

i.e. written to make full use of its opportunities.

and after about 20 min the pc basically locks up. and cpu is
overworking . also you cannot set the drive as slave and scan because the
virus will infect the master drive (already happened )I took my pc to
another repair technician and he didn't want to hook it up to his.( He has
no idea either) I did some research and i believe i have a root kit virus ..
there is a program on the net called "ICESWORD" that detects rootkit virus
but i do not know how to use the program and it has no instructions with it

Firstly, one may want to backtrack to be sure there *is* a virus here,
rather than (say) a hardware issue.

If you rebuild the system, do not restore data, do not connect to any
network (beat WiFi to death as well) and do not connect any
peripherals at all, does the system stay working?

If so, then that implies the hardware is OK. Else I'd want to do an
overnight MemTest86, check mobo caps, swap out PSU, watch temperature
sensors, check HD in HD Tune, etc. I'd also want to check any
"single-source" matrerial used in setup; you've mentioned different
XP, but where are your device drivers from? Are they "clean"?

If hardware's OK and PC is olraait, then add back potential primary
(networking) and secondary ("data" restore, other sware install disks)
factors one at a time on a test-to-break basis. The breakage may not
be malware, i.e. hardware issues (voltage offsets on LAN cables, USB
current draws, nagging peripherals) may apply too.

If your stepwise testing breaks, then unplug the last connected item
or uninstall the last installed sware. If the system is OK again,
suggests hardware. If it stays latched into a "fail" state, suggests
a residual effect that may well be malware.

after a week im running out of ideas nothing shows up in Hyjack this .
cannot download virus software in safe mode with networking & scanners will
not work in safemode either

Google( Bart PE ) and when you make your Bart maintenance OS CDR,
resist the temptation to use a "rich" Explorer-based shell such as
XPE, so that you don't re-create the same exploitable surfaces as the
OS. Keep it on a very short leash, so it doesn't nothing unless you
specifically initiate it to do something. Use a file manager that's
so safe and simple it doesn't even show icons in .EXE files...


It is (or soon will be) possible for malware to do as you imply; take
control of the system from hardware POST, maintain such control
throughout any boot process, and pass control to a rootkit that then
filters everything done through the OS.

But it's difficult to do, especially in the pre-EFI era when there's
no standard BIOS code and/or update process to facilitate a "write
once, attack everything" approach. It's also difficult for code to
retain control throughout the XP boot process and to thus be
positioned to rootkit the OS.

The latter can be bypassed by seeding the HD with the rootkit
component from the pre-OS boot phase, allowing the OS boot process to
kill the malware thread, then regain malware control via explicit or
implicit integration. The only way this would work when the OS is not
booted (e.g. Bart CDR boot, or dropping HD into another PC) is to
exploit an internal surface, and I don't think that's SOP yet.

If it were, then the aproach would be to use an alternate mOS that
lacks those particular exploitable surfaces. Bart without Explorer
and all those wretched underfootware services that constantly grope
files (.PF, SR, indexing, thumbnailers, persistent handlers, even
resident av) may be safe enough, and Linux may be different enough.

------------ ----- --- -- - - - -

Drugs are usually safe. Inject? (Y/n)

 

[Frank]

Hello,
I contacted you last week concerning a boot virus and you directed me
to" drive scrubber"(nice product)
problem is that even with a 7 hr complete wipe, I still have the
virus.I have unpluged my machine and removed the battery and all
memory overnight and cleared the cmos
when i reinstall windows xp (any version)on this HDD the same thing
happens .......For about five minuites after connecting to the net
everything is fine .. then all of a sudden i cannot connect (even
though my connection is showing active) i tried to scan with various
online scanners but it wont let me download them giving me various
error messages ..I have even tried loading full virus protection from
a cd (norton internet security 2006)but it stopped the live update
process.... same with trend micro, this virus is STEALTH and after
about 20 min the pc basically locks up. and cpu is overworking . also
you cannot set the drive as slave and scan because the virus will
infect the master drive (already happened )I took my pc to another
repair technician and he didn't want to hook it up to his.( He has no
idea either) I did some research and i believe i have a root kit virus
.. there is a program on the net called "ICESWORD" that detects
rootkit virus but i do not know how to use the program and it has no
instructions with it .Its found on the sysinternals site.If anyone has
any info on this type of virus and how to remove it please contact me
in this form .. i have 2 HDD down and a 6 gig travel drive that i
cannot use
after a week im running out of ideas nothing shows up in Hyjack this
. cannot download virus software in safe mode with networking &
scanners will not work in safemode either

.....For about five minutes after connecting to the net.......Hmmmm.....
Get something between you and the net that has NAT and IP SEC....
<http://www.zywall.com/web/product_category.php?PC1indexflag=20040908175941>
Those personal firewalls are _usually_ not worth the packaging material.

 

[mbr rootkit with direction HELP ME PLEAS]

MR URBAN YOU ARE WRONG. i HAVE A ROOTKIT NOW THAT IS A VARIATION OF
MEBROOT/SINOWAL THAT IS WRECKING MY HOME NETWORK srry about yelling. no
time....
It can knock me off line has altered my registry and windows files and i
can do nothing permanent. it has even reloaded somehow to a brand new 1 tb
drive with no ethernet connected! I cN SEE THE x:\ FILES!!! all 32 mb of them
including the fake files for windos but I can't delete fixmbr bootsect
commands refotrmat nothing works. it will maybe kick me off soon somebody who
knows how pls email me at work ay alamb at stanford.edu. I need to dselete a
write-protected X: this since dec 21 08 HELP ME PLEASE

 

[Kayman]

MR URBAN YOU ARE WRONG. i HAVE A ROOTKIT NOW THAT IS A VARIATION OF
MEBROOT/SINOWAL THAT IS WRECKING MY HOME NETWORK srry about yelling. no
time....
It can knock me off line has altered my registry and windows files and i
can do nothing permanent. it has even reloaded somehow to a brand new 1 tb
drive with no ethernet connected! I cN SEE THE x:\ FILES!!! all 32 mb of them
including the fake files for windos but I can't delete fixmbr bootsect
commands refotrmat nothing works. it will maybe kick me off soon somebody who
knows how pls email me at work ay alamb at stanford.edu. I need to dselete a
write-protected X: this since dec 21 08 HELP ME PLEASE

<snip>

Preferred practice is to 'flatten' and rebuild a computer that has been
exposed to malware.
http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx

1.How to Slipstream Windows XP Service Pack 3 to Create an Integrated XP
Setup Disk with SP 3
http://www.howtohaven.com/system/slipstream-xp-service-pack-3.shtml
--or (maybe more user friendly)--
Create a Slip Stream version of Windows XP
http://www.webtree.ca/windowsxp/slipstream.htm
--and--
WinUpdatesList v1.23
http://www.nirsoft.net/utils/wul.html
--also--
Change the Boot Order in BIOS (good illustration)
http://pcsupport.about.com/od/fixtheproblem/ss/bootorderchange.htm

2.Clean Install Windows XP
http://www.elephantboycomputers.com/page2.html#Reinstalling_Windows - What
you will need on-hand
--and--
http://www.michaelstevenstech.com/cleanxpinstall.html
--or even better because its illustrated and more reader friendly--
How Do I Install WindowsXP
http://xphelpandsupport.mvps.org/how_do_i_install_windows_xp.htm

Good luck

 

[shawn]

I agree with them. Format and reinstall your operating system. Nothing will
survive after you wipe things clean.

 

[Paul]

I agree with them. Format and reinstall your operating system. Nothing will
survive after you wipe things clean.

The mechanism is explained here.

http://www.trustdefender.com/blog/2009/01/07/mbrmebrootsinowaltorpig-is-back-–-better-than-ever/

One way to erase a hard drive, is here. What I find disconcerting,
is mention that the HPA (Host Protected Area) area may not get erased.
That might also be a weakness of DBAN. Read the README thoroughly,
as a default password can be assigned to the drive, and that password
should be recorded and affixed to the drive with a label or something.
In case some other utility needs the value of the password later. I
understand that some BIOS may lock the drive, to protect normal system
operation from this mechanism (whatever it is). The mechanism of
erasure should be defined in some version of the ATA/ATAPI spec.
The advantage of this method, versus DBAN, is this one could be
faster.

http://cmrr.ucsd.edu/people/Hughes/SecureErase.shtml

If you wanted to change just the MBR, you could try TestDisk,
among other tools.

http://www.cgsecurity.org/wiki/TestDisk

If I want to level a drive, I'd probably just use "dd" and /dev/zero
from Linux, to erase the first part of the disk. I think that takes
out the MBR, and then the installer can write a new one. I've used
that, when I had problems getting OS installers to run.

So there are a few tools to play with. Try bolting the computer
back together, with all software needed available locally and the
Internet connection disconnected, and only connect back to the
network when the machine is fully secured.

Paul