TechSpot

cant take off a virus even after formating

By georges2009
Oct 1, 2004
Topic Status:
Not open for further replies.
  1. Hey ppl,
    i wanted to get sum tips on how i could repair my pc.

    I dont know if its a virus or not, but its always replicating it self and its slowing my pc.

    It doest let me enter on msn or on the internet.

    I tried to format my computer and reinstall xp but the virus was still there and as before, it was recopying it self on all the computer.

    Its on a folder named Prefecht and another one too.

    So what can i do???

    Thanx
     
  2. StormBringer

    StormBringer TS Rookie Posts: 2,871

    what virus is this? It's been quite a while since I've seen a Bootsector virus "in the wild" and thats the only virus I know that can survive a standard format, and those can't survive a low level format or a debug.
    If you'd post a little more about the symptoms, someone might be able to give you some help on how to fix the problem.

    If you think this is actually a BSV, you can always debug the drive but be aware that it will destroy everything on the drive including all data and partitions and leave it as raw data and you'll have to FDISK it before you can do anything with it.
    http://www.computerhope.com/rdebug.htm
    http://www.computerhope.com/rdebug.htm#4
     
  3. Nic

    Nic TechSpot Paladin Posts: 1,928

    Maybe your copy of XP is infected (assuming you really do have a virus, and your XP is not an original)?
     
  4. georges2009

    georges2009 TS Rookie Topic Starter

    I dont know what kind of virus it is...
    but maybe its on the boot sector... so i did this: To repair a damaged Boot Sector at the command prompt type FIXBOOT and press Enter. Then answer "Y"

    I dont know if its going to be enough.

    Storm bringer i entered on the link but i didnt understand many things can u explain it to me easily.

    And i have a question if i do the FDISK thing ... and put my windows xp, is it still going to have the capability of detecting the cd so i can reinstall it?

    Anyways thx
     
  5. SNGX1275

    SNGX1275 TS Forces Special Posts: 12,552   +301

    yes if your XP cd is bootable (should be), you can test that by rebooting with it in your cd drive and seeing if it tries to boot off the cd. Then you will be able to FDISK and be ok as far as getting XP back on, but likely you will want to have a Windows98 boot floppy to make it simplier and faster to use FDISK.
     
  6. georges2009

    georges2009 TS Rookie Topic Starter

    ok so if its simpler to FDISK with the windows 98 startup disk, what are the commands that i have to do and what do i have to do after ???
     
  7. StormBringer

    StormBringer TS Rookie Posts: 2,871

    If you have a bootsector virus then the bootsector gets rewritten with a fake bootsector but the virus resides on the real bootsector and will keep you from fixing it with a Fixboot or fixmbr command. The virus redirects such actions to the fake bootsector.
    (I'm sure I'm a bit off on that description but its pretty close to what is going on)
    However, if you use a tool which disregards the partition and formatting info, it will wipe everything off the disc including the virus because it doesn't look for any data, just the physical layout of the disk.

    Below is a link that explains exactly how to run a debug which is a bit easier to follow, it also has a link to a file which creates a bootable disk containing the necessary debug script. The article and the file are linked from support.dell.com but it isn't specific to dell machines. I only linked it to there because I know that it is accurate. Basically, you only type what is in bold text at the prompt. The prompt is a "-" http://support.dell.com/support/top.../en/document?dn=1011054&c=us&l=en&s=dhs&cs=19

    PS: you can also usually find low level formatting tools specific to the manufacturer of your HDD from the manufacturer's website, also here: http://www.techspot.com/vb/showthread.php?s=&threadid=7602
     
  8. georges2009

    georges2009 TS Rookie Topic Starter

    Thx StormBringer ill try it tonight and tell u if it worked.
     
  9. SNGX1275

    SNGX1275 TS Forces Special Posts: 12,552   +301

    oh it will work if the virus is on your hard drive in any such form. but I think more than likely your "virus" is something else, some other problem, with the possibility of it (although unlikely) comming from the cd you are using to install (if its a pirated cd).
     
  10. georges2009

    georges2009 TS Rookie Topic Starter

    Hey stormbringer,

    i didnt have the chance to post any message before.

    Anyways i did what u told me to do, the disk and the commands to enter. Than i formatted the hardisk. After, i installed windows xp and i noticed that the files were still there and these files are like a remote connection. When i log on the internet it reports that my connection is being used without downloading anything.

    So im gonna let u know what are the programs loading automatically :

    wmiprvsl.exe
    spoolsv.exe
    svxhost.exe LOCAL SERVICE
    svchost.exe NERWORK SERVICE
    svchost.exe SYSTEM
    lsass.exe SYSTEM
    winlogn.exe SYSTEM
    csrss.exe SYSTEM
    smsss.exe SYSTEM
    msiexer.exe SYSTEM
    system
    system idle processe

    and i can remark that svchost is maybe the file doin all this...

    so i dont know do u have any advice to give ???
     
  11. StormBringer

    StormBringer TS Rookie Posts: 2,871

    I'm not familiar with "wmiprvsl.exe" or "msiexer.exe"(maybe msiexec.exe?)

    The others you listed are all native to XP, with the exception of svxhost, which seems to be related to a worm.
    http://it.trendmicro-europe.com/enterprise/security_info/ve_detail.php?VName=WORM_SDBOT.SR&VSect=T

    svchost.exe is a system process belonging to the Microsoft Windows Operating System which handles processes executed from DLLs. It is pretty much a generic host process and may be associated with many different apps, which is why you may see many instances of it running at any given time.

    spoolsv.exe is a Microsoft Windows system executable which handles the printing process to your local printers.

    lsass.exe is a system process of the Microsoft Windows security mechanisms. It specifically deals with local security and login policies. Note: lsass.exe also relates to the W32/Windang.worm which spread via floppy disk drives. Please review file path for clarification of this.

    csrss.exe is the main executable for the Microsoft Client/Server Runtime Server Subsystem. This process manages most graphical commands in Windows. This program is important for the stable and secure running of your computer and should not be terminated.

    smss.exe is a process which is a part of the Microsoft Windows Operating System. It is called the Session Manager SubSystem and is responsible for handling sessions on your system. This program is important for the stable and secure running of your computer and should not be terminated.

    It's not very likely that this was left behind after debugging, since the debug process wipes out all data and doesn't read any structure at all. It wipes everything, so having something left over is highly unlikely. Sounds more like you might be using a burned copy of the XP CD which is infected.
     
     
  12. georges2009

    georges2009 TS Rookie Topic Starter

    I think that its not the windows xp cd becuz this problem happened on my computer even before installing windows xp cd and i had never used it before.

    At the begginning of all this, i saw that my connection was being used and that my computer was very slow. ( Many programs were running maybe 50 ... and svchost.exe was there, and i had many files and folders created from nowhere)

    So then i tought that i would have to format... and i used the windows xp cd.

    But, i can still see the same program running on my computer after i connected to the internet.

    I dont know if that means that the cd is infected... ( becuz it was like that before )
     
  13. SNGX1275

    SNGX1275 TS Forces Special Posts: 12,552   +301

    did you do the fdisk and then format all from a windows98 boot floppy? If so there is no way windows would install and show all your old files.
     
  14. StormBringer

    StormBringer TS Rookie Posts: 2,871

    He said he ran the debug I posted, if that is the case then he had to fdisk and format before he could do anything with the drive, debug wipes all structure and leaves only raw unpartitioned space.

    As I stated earlier, svchost is part of WinXP, it will always be there and can show up in multiple instances depending on how many currently running applications it is hosting.
     
  15. Nic

    Nic TechSpot Paladin Posts: 1,928

    Disconnect your PC from the network, rerun FDISK, reinstall XP (select reformat hd), activate the XP firewall (or better still use ZoneAlarm), install anti-virus software, and then reconnect your network connection. If your XP is original, and you still have a problem, then you must be imagining it, or getting confused :=).
     
  16. georges2009

    georges2009 TS Rookie Topic Starter

    Hi all, if i remember well what i did is format and than install the debug on disk... but i dont think i did FDISK cuz i dont know how to do it lol.

    So if its right... what i have to do in order is
    1.FDISK ( i dont know how to do it...can someone give me advices??? )
    2.FORMAT
    3.DEBUG ON DISK
    4.INSTALL XP
    ( and when should i do the "FIXBOOT" ??? )

    SO id like to know if its how i should do it in order and how i can FDISK.

    P.S. THe files on the running applications arent's my old programs... these are all erased but whats happening is that when i open my internet connection, programs are being created ( i think by the remote connection ) and i can c them on my running application

    Thx
     
  17. StormBringer

    StormBringer TS Rookie Posts: 2,871

    If you ran the debug then you HAD to fdisk afterward because the disk is raw, unpartitioned space afterward. The partitioning and formatting utility included on the XP CD would have done this for you but you'd still have had to go through the steps of creating the partition and formatting during the first part of the installation.

    If you clean install XP onto a freshly made partition, there is no use for FIXBOOT, that command is for problems with an existing bootrecord, if you destroy the partitions you no longer have a bootsector until you create a new one during the installation
     
  18. acidosmosis

    acidosmosis TechSpot Chancellor Posts: 1,574

    When you reinstall XP go to Norton, Mcafee and TrendMicro's website's and run the online scan to see if it detects anything.

    http://security.symantec.com/sscv6/default.asp?productid=symhome&langid=ie&venid=sym

    http://us.mcafee.com/root/mfs/default.asp

    http://housecall.trendmicro.com/

    (Easier if you don't have Norton of Mcafee, along with updated subscriptions). You wont be able to remove the virus but it will tell you which virus it found and you can do research from there.

    More Info:
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;82923
    http://antivirus.about.com/cs/bootinfectors/index.htm?once=true&
     
  19. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    You still have not answered our queries if yours is an original or a pirated copy of XP.

    Until you can truthfully answer that, any further continuation of this thread is pointless!
     
  20. Mictlantecuhtli

    Mictlantecuhtli TS Evangelist Posts: 4,916   +9

    When installing any operating system, it's advisable to install it with network cable unplugged, and plug it in after a firewall is installed. That should prevent unwanted applications to connect when you log in to the network.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.