Tricky (Stubborn) Virus help.

[tf76]

What I would do.

1. Save the data from the hard drive.

2. Talk to client and discuss either starting over or continue trying to remove this virus/rootkit.

Remember he is paying for your time.

But have you tried running rkill as soon as the os boots in?
Have you got access to the task manager?
If so can you locate the process and kill it?
Have you tried fixing the MBR?

Anyway that's my 2 cents. I definitely think you need to be a bit more clearer in your asking for help. More details would definitely help as others have said.


Regards,

 

[ABTECH]

Hope this helps

I agree with tf76 i have however run into a similar situation so I will detail my steps here and hopefully it helps someone. The problem I found was that the virus had created it's own boot partition that was hidden.

I used Windows Defender Offline which is a boot disc and it removed the file completely. At this point the computer will not boot back to the OS so I used the Hiren Boot Cd. This utility has a Linux based partition program that will allow you to view the partitions. You can actually use this first before the Windows Defender because if you do it afterwards the partition becomes simply unallocated space. On this program set the correct boot partition which is probably the Recovery partition.

Last but not least you need a Windows 7 Recovery Disk. Using the command prompt type the following. The first part insures that the correct files are on the disk. The second part copies them to the C drive.

bootrec /fixmbr
bootrec /fixboot
bootrec /rebuildbcd

then….

bcdedit /export C:\BCD_Backup
c:
cd boot
attrib bcd -s -h -r
ren c:\boot\bcd bcd.old
bootrec /RebuildBcd

Hope this helps someone.

 

[saveapcpete]

I used my normal arsenal of tools on what seemed to be the same infection but, in the end I used Malwarebytes Anti-Rootkit BETA with great success. I think I ended up using it after I read an article here with Malwarebytes and it talked about these ransom-ware type infections. Any way good luck and I hope it helps.

 

[johnrobert]

Did you mention witch OS it is XP, win7
that would have been a help

 

[Xander]

Really?

As for those with more questions rather than answers

It's supposed to go like this...

Hi guys, here is the problem "Bla bla bla"'.

Hi Bla, here are a few solutions.
Link one
and
try this one

Actually, it's supposed to go like this...

Hi guys, here is the problem "Bla bla bla"'. It's on this OS and here's some other potentially relevant information. I've done this, this, this, and this and gotten these results. I've scanned with this tool and this tool and this tool and none of them found anything. I've checked the autostarts with this tool, run this live CD and gotten these results. I've checked the HD with the manufacturer's tool and got this report..... AND SO ON.

What your scenario assumes is that you'll name one problem and a dozen techs will take two dozen guesses at what might potentially be a cause and solution but, because they haven't gotten any foundational information from you (for your problem), they are just vague potshots.

Why should people race to give you answers when you've not properly asked your own question for your own problem? Half of this thread is people trying to get more information from you that should have been included in the first post. And you get defensive over it because you're probably embarrassed over asking a forum of repair professionals a question in a manner befitting our grandmothers.

 

[RedFoxComp]

Do you know what a 0x7B is ? I think you are chasing your tail on this and need to do more research on the errors you are gettting.

Since when does a boot disk use a corrupt system to boot from ?

You made a bad request for help and then just made it worse by trying to defend your post instead of realizing your made mistakes and then trying to fix it.

I mean, how could it be "hiding in group policy" and stop you from booting a disk ? How does a boot disk get "get crashed & smashed" ?

Good luck getting help in the future if you are going to act like this.

Yeah, I was scratching my head too.
OP, I'm going to come out and say what everyone else is dancing around. You don't sound like you know what you're talking about. You're saying things that don't make any sense so no one is quite sure how to help you, which is why everyone is asking more questions rather than giving you answers.

If you had been more polite and responsive we might have spoon fed you a solution but I don't think you're going to find it here with that attitude.

 

[Shark]

Some viruses have been creating small partitions on the drive and copying files from there at boot time. Check for any unnecessary partitions.

 

[MobileTechie]

A virus on a hard drive can't stop a boot cd from working. Are you sure there isnt more to this than just a virus ?

I know this is totally by the by now but theoretically I think they could actually stop a Windows-based boot disk from booting.

The reason I think this is that I've seen a number of system that would not allows Windows disks to boot but instead gave a 7B error (as I remember). But linux disks were fine. Maybe something to do with the way those disks mount the HDD in the same way Windows does. I've love to get to the bottom of how this works.

 

[FuzzyWalrus]

KAV Rescue CD To the Rescue!

I have had to deal with this a number of times and the Kaspersky Rescue CD treats this virus like the punk it is! It's removed it everytime, go to:
http://support.kaspersky.com/4162
for more.

FW!

 

[NYJimbo]

I know this is totally by the by now but theoretically I think they could actually stop a Windows-based boot disk from booting.

The reason I think this is that I've seen a number of system that would not allows Windows disks to boot but instead gave a 7B error (as I remember). But linux disks were fine. Maybe something to do with the way those disks mount the HDD in the same way Windows does. I've love to get to the bottom of how this works.

A VIRUS on a disk cannot stop a boot disk from booting. If you mean a disk is damaged and for some reason the boot disk is trying to mount the drive then that would not be the virus stopping it, it would be the damage to the drive. Also many 7B type failures may be from boot disks that might not be able to mount a drive due to device driver issues. Besides a linux disk would never throw a 7B because that is a windows error, so I am not sure what you are comparing here.

 

[ComputerPro]

Lol, we just had this same virus come in the door the other day. Our main bench tech had no problems removing it (he is an awesome tech though), but I asked him about it. He said something about a spit registry entry?? and he had to manually do some things to it, but had no trouble at all removing it. I'll try to pick his brain Monday about what he did to remove it.

 

[Boston Pro Comp Serv LLC]

Not if its in group policy and use What!?

What allows us to edit the hive of a slave?

I've already removed the windows start up stuff & it still loads. I created a registry entry - batch/ script to remove it from start up but its still going, so we think its in local policy.

If I slave it, what would I use to edit the hive with?

My idea would be to put it on a smaller network of its own and link into it with the local security policy snap in.

Hey Pete,

You may not be watching this thread anymore but I did want to answer your question and for anyone else that wasn't aware you could do this.

1. Slave the infected drive
2. Backup the config folder or the hive file your going to edit
3. Open regedit
4. Click on HKEY_LOCAL_MACHINE
5. Click File --> Load Hive ...
6. Browse to the hive with the open file dialogue that comes up
7. Edit as you see fit
8. Select the root of the loaded hive and click File ---> Unload Hive...

That's it. Happy editing. You can boot from a WinPE disk, or Windows install disc and do the same thing by running regedit from the command prompt if you don't want to slave the drive.