Need help with "form.a" boot sector virus

[Splork]

Just built up a windows installation on a system and after
installing NOD32 I find it has the form.a Boot Sector virus but
NOD cannot clean it. Fdisk/MBR not effective either.

Seems like a "McAfee emergency disk" is capable of this but not
much else I can find out about. Would hate to have to do this
all over again.

Any suggestions or a image of said emergency disk??

Thanks

 

[David H. Lipman]

From: "Splork" <[email protected]>

| Just built up a windows installation on a system and after
| installing NOD32 I find it has the form.a Boot Sector virus but
| NOD cannot clean it. Fdisk/MBR not effective either.
|
| Seems like a "McAfee emergency disk" is capable of this but not
| much else I can find out about. Would hate to have to do this
| all over again.
|
| Any suggestions or a image of said emergency disk??
|
| Thanks

The Form virus. I haven't seen that in years. You must have had an infected floppt disk
and are using FAT32.

Use the following Multi-AV. Install it on a second, non-infected PC and update at least the
McAfee and Sophos modules.

Download a either freeDOS or a floppy DOS bootdisk and change the floppy disk to Read-Only.
FreeDOS:
http://www.freedos.org/
http://sourceforge.net/projects/freedos/

http://www.bootdisk.com/bootdisk.htm

Using a USB Flash Drive and copy the C:\AV-CLS tree of data to the Flash Drive from the
non-infected PC to the affected PC.

Run either of the following on the affected PC.

C:\AV-CLS\DOSCLEAN.BAT

C:\AV-CLS\SOFCLEAN.BAT

Then use the Start Menu of the Mult-AV and scan all your floppy disks. Make sure those
floppy disks are Read-Write so they can be cleaned.


Download MULTI_AV.EXE from the URL --
http://www.pctipp.ch/ds/28400/28470/Multi_AV.exe

http://www.pctipp.ch/downloads/dl/35905.asp

English:
http://www.raymond.cc/blog/archives/2008/01/09/scan-your-computer-with-multiple-anti-virus-for-free/

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *

 

[Splork]

From: "Splork" <[email protected]>

| Just built up a windows installation on a system and after
| installing NOD32 I find it has the form.a Boot Sector virus but
| NOD cannot clean it. Fdisk/MBR not effective either.
|
| Seems like a "McAfee emergency disk" is capable of this but not
| much else I can find out about. Would hate to have to do this
| all over again.
|
| Any suggestions or a image of said emergency disk??
|
| Thanks

The Form virus. I haven't seen that in years. You must have had an infected floppt disk
and are using FAT32.

Use the following Multi-AV. Install it on a second, non-infected PC and update at least the
McAfee and Sophos modules.

Download a either freeDOS or a floppy DOS bootdisk and change the floppy disk to Read-Only.
FreeDOS:
http://www.freedos.org/
http://sourceforge.net/projects/freedos/

http://www.bootdisk.com/bootdisk.htm

Using a USB Flash Drive and copy the C:\AV-CLS tree of data to the Flash Drive from the
non-infected PC to the affected PC.

Run either of the following on the affected PC.

C:\AV-CLS\DOSCLEAN.BAT

C:\AV-CLS\SOFCLEAN.BAT

Then use the Start Menu of the Mult-AV and scan all your floppy disks. Make sure those
floppy disks are Read-Write so they can be cleaned.


Download MULTI_AV.EXE from the URL --
http://www.pctipp.ch/ds/28400/28470/Multi_AV.exe

http://www.pctipp.ch/downloads/dl/35905.asp

English:
http://www.raymond.cc/blog/archives/2008/01/09/scan-your-computer-with-multiple-anti-virus-for-free/

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *

Hi David.

The hard drive had it and I did nothing that would have cleared
it. It subsequently got to an additional drive I installed
temporarily and another that now resides in the system is also
affected as well as a zip disk. The 2 floppies I used are
infected but reformatting them clears that.

I suppose that sys C: from a floppy would clear it as well.

I have a W98SE system that I can download the Multi_AV to in
order to get the C:\AV-CLS tree of data for the Flash Drive.

If I take your meaning, I boot from the floppy and run the .bat
file I copied to the hard drive while under the floppys dos
system.

Correct??

 

[David H. Lipman]

From: "Splork" <[email protected]>


|
| Hi David.
|
| The hard drive had it and I did nothing that would have cleared
| it. It subsequently got to an additional drive I installed
| temporarily and another that now resides in the system is also
| affected as well as a zip disk. The 2 floppies I used are
| infected but reformatting them clears that.


Did reformatting actually remove the Form virus ?
It has been so long that I forgot.


|
| I suppose that sys C: from a floppy would clear it as well.


No, that would NOT work. It is a boot sector infector and that command just tranfer the OS
boot files to the floppy.


|
| I have a W98SE system that I can download the Multi_AV to in
| order to get the C:\AV-CLS tree of data for the Flash Drive.
|
| If I take your meaning, I boot from the floppy and run the .bat
| file I copied to the hard drive while under the floppys dos
| system.
|
| Correct??

Yes.

Once you clean the "C:" drive, run the Multi-AV menu and scan all floppies, other hard disks
and the ZIP disk.

 

[Splork]

From: "Splork" <[email protected]>


|
| Hi David.
|
| The hard drive had it and I did nothing that would have cleared
| it. It subsequently got to an additional drive I installed
| temporarily and another that now resides in the system is also
| affected as well as a zip disk. The 2 floppies I used are
| infected but reformatting them clears that.

Did reformatting actually remove the Form virus ?
It has been so long that I forgot.

I only tried that with the floppies. It did clear it out.

| I suppose that sys C: from a floppy would clear it as well.

No, that would NOT work. It is a boot sector infector and that command just tranfer the OS
boot files to the floppy.

Note I said FROM a floppy.

This from McAfee, I know not if it is factual:
"This virus can be removed with the same technique as used with
many boot sector infectors. First, power off the system and
then boot from a known clean write-protected boot diskette. The
DOS SYS command can then be used to recreate the boot sector.
Alternately, MDisk from McAfee Associates may be used to
recreate the boot sector."


Thanks for your help David.
I am going to try what you suggest so I have a handy technique
in the event this appears somewhere once again. Will report
back.

 

[Splork]

From: "Splork" <[email protected]>


|
| Hi David.
|
| The hard drive had it and I did nothing that would have cleared
| it. It subsequently got to an additional drive I installed
| temporarily and another that now resides in the system is also
| affected as well as a zip disk. The 2 floppies I used are
| infected but reformatting them clears that.


Did reformatting actually remove the Form virus ?
It has been so long that I forgot.


|
| I suppose that sys C: from a floppy would clear it as well.


No, that would NOT work. It is a boot sector infector and that command just tranfer the OS
boot files to the floppy.


|
| I have a W98SE system that I can download the Multi_AV to in
| order to get the C:\AV-CLS tree of data for the Flash Drive.
|
| If I take your meaning, I boot from the floppy and run the .bat
| file I copied to the hard drive while under the floppys dos
| system.
|
| Correct??

Yes.

Once you clean the "C:" drive, run the Multi-AV menu and scan all floppies, other hard disks
and the ZIP disk.

On returning to the system today I found I had clobbered the
partition table in the tired wee hours during my last effort.
Fortunately I had Ghosted the installation before the troubles.

I deleted the partition and started fresh using the image and
all is well. Everything is clean including the floppies. Did
not get a chance to use Multi-AV but have saved it and your
instructions should this ever appear again.

Thanks again David