dslreports logo
site
    All Forums Hot Topics Gallery
spc
Search Topic:
uniqs
1486
share rss forum feed

robman50

join:2010-12-14

[Trojan] Windows can't remove this virus

A friend gave me his laptop to fix and I went to check it out but it kept on giving me 'Device I/O' errors. So I popped the hard drive in to my desktop and my antivirus program told me it had a virus in something that started off with 'boot /(device number of the usb adapter)/partition1' not exactly sure but it was not the normal file name based virus. I tried removing the virus but it kept giving me an error and it wanted to reboot Windows.

So is there an good Linux/Unix Live CD that scans and removes those nasty viruses? I tried Ubuntu 9.10 and ClamAV (kept on giving me HTTP 404 Not found errors), tried the Trinity Rescue Kit CD and it can't get the IP address working and keeps complaining about the DNS and gateway server information is missing.



LoPhatPhuud
Premium,VIP,MVM
join:2002-01-06
Albuquerque, NM
kudos:26
Reviews:
·Comcast

1 recommendation

You can try Microsoft System Sweeper:
»connect.microsoft.com/systemsweeper

Your best best is to reformat and install clean. If he has a boot sector virus there is no telling how bad off the hdd is.
--
When angry count four; when very angry, swear.
Microsoft MVP/Consumer Security 2005-2011
Gladiator Security Forum


robman50

join:2010-12-14
reply to robman50

If it was my laptop I would have just used fixmbr, fixboot and diskpart' with the 'clean' command and do a fresh partition, format and install since the factory recovery partition might be infected also.


robman50

join:2010-12-14
reply to robman50

Could a really bad virus cause chkdsk to find tons of corrupted files?



LoPhatPhuud
Premium,VIP,MVM
join:2002-01-06
Albuquerque, NM
kudos:26
reply to robman50

While anything is possible, I have not heard of an infected chkdsk reporting corrupted files.

Is the drive itself readable?


robman50

join:2010-12-14

1 recommendation

reply to robman50

I used the Kaspersky Rescue Disk 10 CD and most of the viruses it found where Java based from the temp folders. It also did find 'Rootkit Boot.SST.b' in '/dev/sda'.



LoPhatPhuud
Premium,VIP,MVM
join:2002-01-06
Albuquerque, NM
kudos:26
Reviews:
·Comcast

1 edit

1 recommendation

reply to robman50

A couple of things.

First, please do not PM LilHurricane with info. Post all comments in this thread.

Again, is the hard drive readable? Did you try System Sweeper, or just the Kaspersky disk.

On occasion the rootkit will create a separate partition. You need to check all the partitions.

Again, due to the type and extent of infections found so far, the only recommendation I will make is to do a low level reformat and re-install.

Even if you clean the detectable exploits, you have no way of knowing if the OS has been compromised and to what extent.

The main goal of malware removal is to return a safe, stable computer. When the stability is questionable the only sane recourse is to reformat and re-install.

see: »technet.microsoft.com/en-us/libr···587.aspx


robman50

join:2010-12-14

LilHurricane PMed me with some info on the Kaspersky Rescue disk.

Yes the hard drive is readable. I haven't tried System Sweeper yet, only scans I did where Kaspersky Scan from the CD ,Malewarebytes Anti-Malware, and the ESET Online scan.
It seems that I have removed all the threats from the system but I need to reinstall anyway because the viruses kind of destroyed Windows.



LoPhatPhuud
Premium,VIP,MVM
join:2002-01-06
Albuquerque, NM
kudos:26
Reviews:
·Comcast

1 recommendation

reply to robman50

Sadly, that happens a lot. The more invasive the exploit, the greater the chance that the OS has been corrupted.

Don't forget to check the partitions. If the OS is Win 7, there will also be a 100mb system partition.

Do a full reformat, not the quickee.

Good luck!
--
When angry count four; when very angry, swear.
Microsoft MVP/Consumer Security 2005-2011
Gladiator Security Forum


robman50

join:2010-12-14

Well it is an Acer laptop that came preloaded with Vista and it has been upgraded to Win 7 with the Acer Upgrade disk.It has an 16GB PQSERVICE (recovery partition) and the rest is the O/S named C: Acer.
No sign of the 100MB System partition.
Could that PQSERVICE partition get infected also?



LoPhatPhuud
Premium,VIP,MVM
join:2002-01-06
Albuquerque, NM
kudos:26
reply to robman50

It can, but unlikely. Once you get the computer operational you can scan it.

The 100mb partition will be created by the Windows 7 installer.