Boot Sector virus removal trouble

[vr6rafal]

hi we've gotten this computer in the shop with a "sinowal" boot sector virus.

all regual way will not clean it. i've tried malwarebytes, superantispyware, spybot, avg anti-rootkit, avg anti-virus, avira, kaspersky, combofix, most of these dont detect it.

I've tried "fixmbr" and no help. GMER finds it, and mbr.exe find malicious code in boot sector, as well as avira but will not clean it. I've tried avira boot sector tool but did not fix it.
Any idea what else I can do. I've read that even formatting will not clean it.

 

[NYJimbo]

This is becoming more prevalent and I think we need a simple, straightforward manual method of cleaning rather than relying on a virus program. I mean the boot sector is tiny and it should really be something like a low-level format or some simple tools booted from a floppy or USB stick.

There are options out there but it should be something standardized as its below the O/S and not dependant on that.

 

[TimeCode]

I've never had to deal with a boot sector virus before so I am just shooting in the dark, but wouldn't performing a repartition from a Linux disc then repartitioning and reinstalling Windows take care of it? If the rest of the HD is clean...

 

[rusty.nells]

I've never had to deal with a boot sector virus before so I am just shooting in the dark, but wouldn't performing a repartition from a Linux disc then repartitioning and reinstalling Windows take care of it? If the rest of the HD is clean...

I'm probably shooting in the dark too, but I think some apps also write to the boot sector for the purpose of DRM and encryption.

 

[Larry Sabo]

One of my clients had IRCBOT/TORPIG (aka sinowal) and it was detected by his ISP (Rogers) who said he had 48 hrs to clean it up or they'd suspend his account. I couldn't detect it with anything, including Rescue CDs and connecting it as a slave on my PC and scanning it, so I said Rogers must be mistaken. Reconnected his system and he immediately got shut down by Rogers, saying it's still there. Finally had to flatten and rebuild. That seems to be the only solution, judging from other who got shut down by Rogers for the same thing. Worked for him, but drastic and expensive.

 

[LunchBox]

Out of curiosity had you tried the MSRT (Malicious Software Removal Tool).


Let Me Google That For You

The first link should be the one

 

[iisjman07]

Could you not just remove the Windows bootloader and replace it with a GRUB menu like on linux?

 

[studiot]

It is possible that this is not the sinowal trojan and the MBR is not compromised.

There are reports that this problem is notified by Norton, Kaspersky etc as sinowal but is in fact something else.

The virus is called: spyware.ispynow

http://www.spywareremovalblog.com/remove-spywareispynow/

The process has a few different names. Look for one of these:

runhh6110411.exe, xtgoj6119471.exe, ggqjh22510678.exe, or something similar

Look here

C:\Documents and Settings\Owner(your name)\Application Data\Google

Kill the process and delete the files in safemode.

 

[vr6rafal]

well after I did "fixmbr" from the windows recovery console, plus few other things, I just ran AVG and avira which usually before picked it up right away it seems they do not pick it up anymore, however if I run GMER and MBR.exe it still shows malicious code in sector 62 which is the Master Boor Sector.

But since the normal virus scanners are not picking it up, it may be that GMER and MBR.exe since both work on same basis may be giving false positive.

So if the normal scanners are no finding it, i'm going to consider this machine clean.

 

[iisjman07]

Nuke it...

 

[Galdorf]

Use ubcd4win and run av from there , remove the hard drive from boot sequence always works for me.

I have kaspersky internet security on my work computer 3 lic version which can be imported for use by ubcd4win but antivir will do job as well.

 

[iladelf]

What about trying Unhackme? It's usually pretty good at knocking out this stuff, IMO.

http://www.greatis.com/unhackme/

 

[PatrickB]

Roadkil's Boot Builder could help you with that Boot Sector:
http://www.roadkil.net/program.php?ProgramID=3

So could the Windows Recovery Console: Fixboot C:

-- Patrick B.

 

[Galdorf]

You may want to read this:

http://www.prevx.com/blog/131/MBR-Rootkit-reloaded.html

 

[PatrickB]

That was useful information Galdorf. Prevx says that their software will remove the MBR Rootkit for free and that it is the only vendor that can presently do so.

-- Patrick B.

 

[iisjman07]

From the page Galdorf posted:

Hello,

at the moment the last version of MBR rootkit is detected only by Prevx, RootRepeal antirootkit (deepest hard disk scan level must be set, but we have seen this setting could cause sometimes BSOD) and last update of Dr.Web. Those ones are able to detect and clean the infection

 

[Galdorf]

I had a customer that kept getting infected after reboots it was puzzling there for a while then i thought must be a mbr rootkit and googled mbr rootkit and prevx blog showed up.

I used prevx and found a mbr rootkit cleaned it, if it was not for reading the info on there website i would have had to zero out the customers drive and re-install.

It sure saved me a lot of work.

 

[iisjman07]

That's good enough for me, PrevX is now part of my toolkit.