Help!!! Parity Boot Virus, can't get rid off :(
Lars Packschies
Hi there,
I use Win95 and have a parity boot virus (B) since I
tried to install DittoMax software on my machine. Most
likely. Anyway, I found no way to get rid of it. McAffee
for Windows95 always finds the search string in memory,
so it won't scan the files. Thus, I boot with a 'naked'
disk, not containing any files (himem.sys for example),
that could carry the virus. The disk is sterile, checked
on other machines. No drivers are installed. Always,
f-prot finds the virus in memory. I can't use McAffee
because it is too large for memory which I find is a bad joke.
Anyway, I do not get rid of this virus. It is not a
false alarm, since one time the computer stopped with
'parity check' on the screen.
Interestingly, Mcaffee finds the virus in memory on startup,
but when antivirus is started under win95, it finds a '%s'
virus. I also tried 'InocuLAN 5.0' with no success. It also
finds the virus string in mem (parity boot) and stops.
What can I do ?
Any help will be appreciated !
Lars Packschies from Dortmund, Germany (nice weather outside)...
Lars Packschies
I'm sorry: I forgot to post important things:
I'm using: Intel Pentium 133
Intel Advanced/AS MOBO BIOS release 7 Bios 1.00.7.CL0
Adaptec AHA 2940 V1.21 PCI SCSI
Fujitsu M1606 HD
Millenium I 2MB BIOS V1.5
MGA drivers 4.10.01.3800
Lars Packschies, Dortmund (weather's still fine !)
Arthur E Blossom
l...@ks.mpi-dortmund.mpg.de (Lars Packschies) wrote:
Lars, this is a common diskette and hdd boot virus that has nothing to
do with files. It infects the boot record (first sector) of both
diskettes and your C: drive. You need to cold boot (power off/on)
using a clean Win95 backup diskette created on a known clean machine
and write protected before you use it. Then any good AV product
should be able to disinfect your hdd. Next you must scan ALL of your
diskettes to eliminate it.
--
Arthur Blossom, IBM AntiVirus services
--
Lars Packschies
>
>Lars, this is a common diskette and hdd boot virus that has nothing to
>do with files. It infects the boot record (first sector) of both
>diskettes and your C: drive. You need to cold boot (power off/on)
>using a clean Win95 backup diskette created on a known clean machine
>and write protected before you use it. Then any good AV product
>should be able to disinfect your hdd. Next you must scan ALL of your
>diskettes to eliminate it.
>--
>Arthur Blossom, IBM AntiVirus services
>--
Hi Arthur !
Thanks, I've already tried that. The Problem was, that the boot
virus hooks into the memory on startup. Most anti-virus products
scan memory first, find the virus string and stop. They say, I
should boot with a clean disk and so on... Which I did, see above.
I found a program that removed the virus (just 30 minutes ago !!).
This product (shareware) does not scan memory first (AVP).
Furthermore, I found, that you can switch off memory scanning for
the program f-prot - which the authors recommend only when you're
sure, that the virus warning is a false alarm... - it wasn't,
so I did not try.
Excuse my poor knowledge... But viruses have never been a problem
for me, this virus is the second one. The first was 'falling
letters' (which was funny somehow and which could be easily
eliminated) on a 286 machine in 1991 :-)
Anyway, interestigly this boot virus did _not_ infect my boot
drive, it was found at drive D in my system !
This is strange...
Thanks for your time,
Lars Packschies
Pierre Vandevenne
>Thanks, I've already tried that. The Problem was, that the boot
>virus hooks into the memory on startup. Most anti-virus products
If you boot from a clean disk, the image of the virus can sometimes ( Win95)
be loaded in memory ad picked up by scanners, but the virus hasn't hooked
anything because it hasn't been executed. I think one can avoid that memory
load by having a config.sys with a certain amount of files ( I always include
himem.sys, files=20 and buffers=20 - so I don't really know what the
minimum is, Martin Overton probably knows more about that )
>I found a program that removed the virus (just 30 minutes ago !!).
>This product (shareware) does not scan memory first (AVP).
Well, that's no that simple, but yes, AVP can eventually go through viruses
when they are active in memory (some other products can do this as well).
Besides AVP doesn't use the same memory scanning strategy as the program
who told you the virus was found.
>Furthermore, I found, that you can switch off memory scanning for
>the program f-prot - which the authors recommend only when you're
>sure, that the virus warning is a false alarm... - it wasn't,
>so I did not try.
Understandable. That situation really deserve more publicity.
>Excuse my poor knowledge... But viruses have never been a problem
Not poor at all, you did well and are now virus free, that's the essential
point.
>Anyway, interestigly this boot virus did _not_ infect my boot
>drive, it was found at drive D in my system !
It was probably there before the drive was used as a D drive and went
unnoticed. There are other more esoteric possibilities though.
---
Pierre Vandevenne, MD - http://www.datarescue.com/ida.htm
IDA Pro 3.75 -the- disassembler
Scott & Liz Watson
Try REMming lines out of your startup files until there is nothing left. It
sounds like a false alarm. I had something similar recently. Turned out
the PC I was looking at had had an additional AV product installed by the
user "for extra protection".
Scott Watson
Windows98 - from the people who brought you EDLIN
Erik Fries
On Thu, 21 May 1998 15:44:15 GMT, L.Pack...@ping.de (Lars Packschies) wrote:
[...]
>I found a program that removed the virus (just 30 minutes ago !!).
>This product (shareware) does not scan memory first (AVP).
[...]
Hello Lars!
One question out of interest: Did you try to run 'fdisk.exe /mbr' to remove this
virus? In the past, we had a lot of problems with 'Parity-Boot B' and we removed
it with this DOS command after a virus check. It might be bad if there's a 'new'
Parity Boot B, which can't be removed with fdisk /mbr.
Regards
Erik Fries
+----------------------------------------+
| Quantum Gesellschaft fuer Software mbH |
| Erik Fries +-----------------------+
| Emil-Figge-Str. 83 / Fon: +49-231-9749-548 /
| D-44227 Dortmund / +49-171-9596622 /
+-----------+------+ Fax: +49-231-9749-3 /
/ Email: erik....@quantum.de /
+------------------------------+
Lars Packschies
Sorry, I forgot:
>
>Yes, I tried. But it did not help, and I now know why. Yesterday I
>posted, that I've already managed getting rid of the virusby using
>AVP for DOS. And AVP found the virus on the boot sector of drive D.
>Not on the boot drive.
And I only tried it with drive C. Would it work on another drive
than the boot HD ?
Lars
Lars Packschies
On Fri, 22 May 1998 05:48:38 GMT, erik....@quantum.de (Erik Fries)
wrote:
>Hello Lars!
>
>One question out of interest: Did you try to run 'fdisk.exe /mbr' to remove this
>virus? In the past, we had a lot of problems with 'Parity-Boot B' and we removed
>it with this DOS command after a virus check. It might be bad if there's a 'new'
>Parity Boot B, which can't be removed with fdisk /mbr.
>
>Regards
>Erik Fries
[schnipp], grüße aus Do nach Do !
Hey Erik,
Yes, I tried. But it did not help, and I now know why. Yesterday I
posted, that I've already managed getting rid of the virusby using
AVP for DOS. And AVP found the virus on the boot sector of drive D.
Not on the boot drive.
Anyway, fdisk /mbr is a good idea, and I learned about the advantage
of it's existence since I tried to install LiLo (linux boot manager)
without knowing, that Linux has to be located in the first 1024 cy-
linders of the boot drive to be 'managed directly' by lilo.
No boot, no good *-[:o)
Thanks, anyway
See you
Lars Packschies
Bruce P. Burrell
Erik Fries <erik....@quantum.de> wrote:
> On Thu, 21 May 1998 15:44:15 GMT, L.Pack...@ping.de (Lars Packschies) wrote:
> [...]
>>I found a program that removed the virus (just 30 minutes ago !!).
>>This product (shareware) does not scan memory first (AVP).
> [...]
> Hello Lars!
> One question out of interest: Did you try to run 'fdisk.exe /mbr' to remove this
> virus? In the past, we had a lot of problems with 'Parity-Boot B' and we removed
> it with this DOS command after a virus check. It might be bad if there's a 'new'
> Parity Boot B, which can't be removed with fdisk /mbr.
Please, Erik, don't offer such ill-advised suggestions -- not, at least,
unless you know that the user has valid, current backups or doesn't care about
any of the data on the computer.
FDISK/Mumble is a Bad Idea in general; though it works sometimes, it can
make matters a whole LOT worse. For a partial list of reasons why this is so,
see the acv FAQ, Part 4, Section 14.
JUST SAY NO TO FDISK/MBR !!
-BPB
Bruce P. Burrell
Lars Packschies <l...@ks.mpi-dortmund.mpg.de> wrote:
> On Fri, 22 May 1998 05:48:38 GMT, erik....@quantum.de (Erik Fries)
> wrote:
>>Hello Lars!
>>
>>One question out of interest: Did you try to run 'fdisk.exe /mbr' to remove this
>>virus? In the past, we had a lot of problems with 'Parity-Boot B' and we removed
>>it with this DOS command after a virus check. It might be bad if there's a 'new'
>>Parity Boot B, which can't be removed with fdisk /mbr.
>>
>>Regards
>>Erik Fries
> [schnipp], grüße aus Do nach Do !
> Hey Erik,
> Yes, I tried. But it did not help, and I now know why. Yesterday I
> posted, that I've already managed getting rid of the virusby using
> AVP for DOS. And AVP found the virus on the boot sector of drive D.
> Not on the boot drive.
> Anyway, fdisk /mbr is a good idea,
No, it isn't. FDISK doesn't know anything about viruses, and using it can
extract a severe penalty. Like loss of all data, for instance.
> and I learned about the advantage
> of it's existence since I tried to install LiLo (linux boot manager)
> without knowing, that Linux has to be located in the first 1024 cy-
> linders of the boot drive to be 'managed directly' by lilo.
> No boot, no good *-[:o)
Glad your use of it didn't trash your data. But please don't recommend it
to others.
-BPB
Christopher Hume
> Erik Fries <erik....@quantum.de> wrote:
> > On Thu, 21 May 1998 15:44:15 GMT, L.Pack...@ping.de (Lars Packschies) wrote:
>
> > [...]
> >>I found a program that removed the virus (just 30 minutes ago !!).
> >>This product (shareware) does not scan memory first (AVP).
> > [...]
I don't why your copy of AVP doesn't scan memory first, but every version
I've tried including shareware does scan memory first. In fact, the DOS
version of AVP can even remove viruses when they're memory resident
without the need for a clean boot (although they recommend to clean boot
first if possible; if not, in most cases, it can get rid of the virus
anyway).
Chris
Zvi Netiv
l...@ks.mpi-dortmund.mpg.de (Lars Packschies) wrote:
> Sorry, I forgot:
> >Yes, I tried. But it did not help, and I now know why. Yesterday I
> >posted, that I've already managed getting rid of the virusby using
> >AVP for DOS. And AVP found the virus on the boot sector of drive D.
> >Not on the boot drive.
> And I only tried it with drive C. Would it work on another drive
> than the boot HD ?
I suppose that you are talking of FDISK /MBR.
First, it's not always a good idea to use FDISK /MBR.
It does not address 'drive C' but the first _physical_ hard drive. C is a
logical drive, assigned by the operating system, later on in the startup
process. Fdisk handles the configuration of physical hard drives, the
logical drives are assigned to _partitions_ created with Fdisk or else.
FDISK /MBR doesn't work on other than the first hard drive. To process the
MBR of the second drive with FDISK /MBR you can disable drive 1 in the
setup, drive 2 then becomes the first.
Lastly, InVircible provides a better solution. Its rescue diskette backs up
all critical data of both drives: the CMOS setup, MBR and boot sectors -
there could be more than one on the same drive, and track zero overlays such
as Disk Manager, EZ-Drive, access control, etc.
In your particular case (not having an IV rescue made before getting
infected), you could use ResQdisk, InVircible's tool for fixing all sort of
hard disk problems, like regaining access to a lost drive. Handlig boot
viruses is just a minor aspect of disaster recovery.
Available from our Websites, below.
Regards, Zvi
---------------------------------------------------------------------
NetZ Computing Ltd.Israel Producer of InVircible ResQdisk & ResQdata
Voice +972 3 938 6868, +972 52 494 017 (cellular) Fax +972 3 938 6869
Email: ne...@actcom.co.il z...@invircible.com CIS:100274,2523
http://www.InVircible.com www.ResQ.co.il www.NetZComp.com
---------------------------------------------------------------------
Lars Packschies
>> Anyway, fdisk /mbr is a good idea,
>
> No, it isn't. FDISK doesn't know anything about viruses, and using it can
>extract a severe penalty. Like loss of all data, for instance.
>
>> and I learned about the advantage
>> of it's existence since I tried to install LiLo (linux boot manager)
>> without knowing, that Linux has to be located in the first 1024 cy-
>> linders of the boot drive to be 'managed directly' by lilo.
>> No boot, no good *-[:o)
>
> Glad your use of it didn't trash your data. But please don't recommend it
>to others.
>
> -BPB
>
Hi Bruce,
It's okay. Concerning Linux (SuSE 5.2) it is recommended to store the
data before installing LiLo, then fdisk /mbr shall be used in case
of failure.
Bye,
Lars
Lars Packschies
Hi all,
thank you all for your help !
Lars
Bruce P. Burrell
> Hi Bruce,
1. If you want to use it, fine.
2. But don't recommend it to others publicly, because ...
3. Most folks aren't using Linux (for which I don't know how FDISK behaves)
and
4. For SURE FDISK can make matters a lot worse, when one is using
DOS/Windows versions of FDISK.
Also, remember that folks will just remember "Use FDISK/Mumble", not "(a)
back up all your data (b) use Linux and (c) then use this FDISK command:..."
Also, note that for some viruses, having a backup won't help. Consider
One_Half.
Thanks.