cant take off a virus even after formating

Status
Not open for further replies.
G

georges2009

Posts: 7   +0
Hey ppl,
i wanted to get sum tips on how i could repair my pc.

I dont know if its a virus or not, but its always replicating it self and its slowing my pc.

It doest let me enter on msn or on the internet.

I tried to format my computer and reinstall xp but the virus was still there and as before, it was recopying it self on all the computer.

Its on a folder named Prefecht and another one too.

So what can i do???

Thanx
 
what virus is this? It's been quite a while since I've seen a Bootsector virus "in the wild" and thats the only virus I know that can survive a standard format, and those can't survive a low level format or a debug.
If you'd post a little more about the symptoms, someone might be able to give you some help on how to fix the problem.

If you think this is actually a BSV, you can always debug the drive but be aware that it will destroy everything on the drive including all data and partitions and leave it as raw data and you'll have to FDISK it before you can do anything with it.
http://www.computerhope.com/rdebug.htm
http://www.computerhope.com/rdebug.htm#4
 
Maybe your copy of XP is infected (assuming you really do have a virus, and your XP is not an original)?
 
I dont know what kind of virus it is...
but maybe its on the boot sector... so i did this: To repair a damaged Boot Sector at the command prompt type FIXBOOT and press Enter. Then answer "Y"

I dont know if its going to be enough.

Storm bringer i entered on the link but i didnt understand many things can u explain it to me easily.

And i have a question if i do the FDISK thing ... and put my windows xp, is it still going to have the capability of detecting the cd so i can reinstall it?

Anyways thx
 
yes if your XP cd is bootable (should be), you can test that by rebooting with it in your cd drive and seeing if it tries to boot off the cd. Then you will be able to FDISK and be ok as far as getting XP back on, but likely you will want to have a Windows98 boot floppy to make it simplier and faster to use FDISK.
 
ok so if its simpler to FDISK with the windows 98 startup disk, what are the commands that i have to do and what do i have to do after ???
 
If you have a bootsector virus then the bootsector gets rewritten with a fake bootsector but the virus resides on the real bootsector and will keep you from fixing it with a Fixboot or fixmbr command. The virus redirects such actions to the fake bootsector.
(I'm sure I'm a bit off on that description but its pretty close to what is going on)
However, if you use a tool which disregards the partition and formatting info, it will wipe everything off the disc including the virus because it doesn't look for any data, just the physical layout of the disk.

Below is a link that explains exactly how to run a debug which is a bit easier to follow, it also has a link to a file which creates a bootable disk containing the necessary debug script. The article and the file are linked from support.dell.com but it isn't specific to dell machines. I only linked it to there because I know that it is accurate. Basically, you only type what is in bold text at the prompt. The prompt is a "-" http://support.dell.com/support/top.../en/document?dn=1011054&c=us&l=en&s=dhs&cs=19

PS: you can also usually find low level formatting tools specific to the manufacturer of your HDD from the manufacturer's website, also here: https://www.techspot.com/vb/showthread.php?s=&threadid=7602
 
oh it will work if the virus is on your hard drive in any such form. but I think more than likely your "virus" is something else, some other problem, with the possibility of it (although unlikely) comming from the cd you are using to install (if its a pirated cd).
 
Hey stormbringer,

i didnt have the chance to post any message before.

Anyways i did what u told me to do, the disk and the commands to enter. Than i formatted the hardisk. After, i installed windows xp and i noticed that the files were still there and these files are like a remote connection. When i log on the internet it reports that my connection is being used without downloading anything.

So im gonna let u know what are the programs loading automatically :

wmiprvsl.exe
spoolsv.exe
svxhost.exe LOCAL SERVICE
svchost.exe NERWORK SERVICE
svchost.exe SYSTEM
lsass.exe SYSTEM
winlogn.exe SYSTEM
csrss.exe SYSTEM
smsss.exe SYSTEM
msiexer.exe SYSTEM
system
system idle processe

and i can remark that svchost is maybe the file doin all this...

so i dont know do u have any advice to give ???
 
I'm not familiar with "wmiprvsl.exe" or "msiexer.exe"(maybe msiexec.exe?)

The others you listed are all native to XP, with the exception of svxhost, which seems to be related to a worm.
http://it.trendmicro-europe.com/enterprise/security_info/ve_detail.php?VName=WORM_SDBOT.SR&VSect=T

svchost.exe is a system process belonging to the Microsoft Windows Operating System which handles processes executed from DLLs. It is pretty much a generic host process and may be associated with many different apps, which is why you may see many instances of it running at any given time.

spoolsv.exe is a Microsoft Windows system executable which handles the printing process to your local printers.

lsass.exe is a system process of the Microsoft Windows security mechanisms. It specifically deals with local security and login policies. Note: lsass.exe also relates to the W32/Windang.worm which spread via floppy disk drives. Please review file path for clarification of this.

csrss.exe is the main executable for the Microsoft Client/Server Runtime Server Subsystem. This process manages most graphical commands in Windows. This program is important for the stable and secure running of your computer and should not be terminated.

smss.exe is a process which is a part of the Microsoft Windows Operating System. It is called the Session Manager SubSystem and is responsible for handling sessions on your system. This program is important for the stable and secure running of your computer and should not be terminated.

It's not very likely that this was left behind after debugging, since the debug process wipes out all data and doesn't read any structure at all. It wipes everything, so having something left over is highly unlikely. Sounds more like you might be using a burned copy of the XP CD which is infected.
 
I think that its not the windows xp cd becuz this problem happened on my computer even before installing windows xp cd and i had never used it before.

At the begginning of all this, i saw that my connection was being used and that my computer was very slow. ( Many programs were running maybe 50 ... and svchost.exe was there, and i had many files and folders created from nowhere)

So then i tought that i would have to format... and i used the windows xp cd.

But, i can still see the same program running on my computer after i connected to the internet.

I dont know if that means that the cd is infected... ( becuz it was like that before )
 
did you do the fdisk and then format all from a windows98 boot floppy? If so there is no way windows would install and show all your old files.
 
He said he ran the debug I posted, if that is the case then he had to fdisk and format before he could do anything with the drive, debug wipes all structure and leaves only raw unpartitioned space.

As I stated earlier, svchost is part of WinXP, it will always be there and can show up in multiple instances depending on how many currently running applications it is hosting.
 
Disconnect your PC from the network, rerun FDISK, reinstall XP (select reformat hd), activate the XP firewall (or better still use ZoneAlarm), install anti-virus software, and then reconnect your network connection. If your XP is original, and you still have a problem, then you must be imagining it, or getting confused :=).
 
Hi all, if i remember well what i did is format and than install the debug on disk... but i dont think i did FDISK cuz i dont know how to do it lol.

So if its right... what i have to do in order is
1.FDISK ( i dont know how to do it...can someone give me advices??? )
2.FORMAT
3.DEBUG ON DISK
4.INSTALL XP
( and when should i do the "FIXBOOT" ??? )

SO id like to know if its how i should do it in order and how i can FDISK.

P.S. THe files on the running applications arent's my old programs... these are all erased but whats happening is that when i open my internet connection, programs are being created ( i think by the remote connection ) and i can c them on my running application

Thx
 
If you ran the debug then you HAD to fdisk afterward because the disk is raw, unpartitioned space afterward. The partitioning and formatting utility included on the XP CD would have done this for you but you'd still have had to go through the steps of creating the partition and formatting during the first part of the installation.

If you clean install XP onto a freshly made partition, there is no use for FIXBOOT, that command is for problems with an existing bootrecord, if you destroy the partitions you no longer have a bootsector until you create a new one during the installation
 
When you reinstall XP go to Norton, Mcafee and TrendMicro's website's and run the online scan to see if it detects anything.

http://security.symantec.com/sscv6/default.asp?productid=symhome&langid=ie&venid=sym

http://us.mcafee.com/root/mfs/default.asp

http://housecall.trendmicro.com/

(Easier if you don't have Norton of Mcafee, along with updated subscriptions). You wont be able to remove the virus but it will tell you which virus it found and you can do research from there.

More Info:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;82923
http://antivirus.about.com/cs/bootinfectors/index.htm?once=true&
 
You still have not answered our queries if yours is an original or a pirated copy of XP.

Until you can truthfully answer that, any further continuation of this thread is pointless!
 
When installing any operating system, it's advisable to install it with network cable unplugged, and plug it in after a firewall is installed. That should prevent unwanted applications to connect when you log in to the network.
 
Status
Not open for further replies.

Similar threads

midian182
Troubled Cruise lays off about a quarter of its workforce, in cost-cutting move
Replies
2
Views
226
Theinsanegamer
T
midian182
LockBit ransomware group bounces back a week after law enforcement had disrupted hacking...
Replies
0
Views
124
midian182
midian182
I
  • Locked
Inactive Virus or rootkit on Windows and Linux
Replies
9
Views
2K
Broni
Broni

Latest posts

Back