question about viruses

[jimdagys]

I have been experimenting with downloading things from very dubious sources. Today when I clicked on an exe, the whole Windows shut down. The screen said something like, "Windows had to shut down to protect your computer. If you have seen this before..." I am curious what kind of virus would cause that kind of situation. And the other day I picked up something that made the McAfee go crazy and would not let me delete anything from the computer.
Restoring the C drive with a Ghost image solved that problem, but my question is, will restoring the C drive always solve the problem? Could the virus get into the Bios or other part of the computer? Could the virus infect files on the D and E drive? If so, what would one do in these cases?

[neomaine]

You're visiting dubious sites and running McAfee?

That's like mountain biking while holding a loaded gun cocked and ready to shoot pointed directly at your head. Simply, you don't have a chance in hell to make it.

1 - Don't visit dubious sites. Get your porn from friends who visit them.
2 - Dump McAfee and run a more robust AV tool. I happen to run Avast. Others would recommend AVG Free. Both much more capable. And no, Norton's isn't any better.
3 - Your re-ghosting will continue to work as long as:
a - Your image isn't corrupt. But, with McAfee, you'll never know for sure.
b - If the virus manages to wipeout your BIOS, and you don't have a dual-bios setup
or some other kind of protection, your mobo is screwed.

[freebird73717]

I have been experimenting with downloading things from very dubious sources.

Why play with fire?

[jman98]

Restoring the C drive with a Ghost image solved that problem, but my question is, will restoring the C drive always solve the problem?

Always? I think in most cases this will work, but I am not comfortable with saying "always". There might be an exception.

Could the virus get into the Bios or other part of the computer?

It's highly unusual, but a recent virus was able to ruin certain very specific BIOS versions. The virus couldn't live in BIOS, but it was able to overwrite the BIOS with garbage.

Could the virus infect files on the D and E drive? If so, what would one do in these cases?

Yes, extra drives can certainly be infected. Scanning and removing with a good anti-virus program is the best solution.

[Midzuki]

Worms and rootkits are the usual cause of the problems you have experienced.
BTW: NOD32 is much better than McAfee.

[jimdagys]

Dual-bios setup. I never heard of that before.

[disturbed1]

Bios virus exist. That's why most BIOS have an antivirus scan

I'd be more worried about a boot sector virus. Unless you imaged your complete hard drive, and not just the partition, you could still be infected after a reinstall. It's sometimes called an infected MBR (master boot record).

Visit McAfee's site for help on uninstalling the application. It isn't as easy as ControlPanel, add remove programs, uninstall. McAfee embeds itself pretty deep. Just like a deer tick, giving your computer Lyme disease.

http://en.wikipedia.org/wiki/Computer_virus
http://www.avast.com

[neomaine]

... McAfee embeds itself pretty deep. Just like a deer tick, giving your computer Lyme disease.

[jimdagys]

Where is the boot sector? Not on C drive? I image my C drive.

[disturbed1]

Depends on who what and how the drive was partitioned, and what options you chose with Ghost.

hd(0,0) Means the first hard drive on the first bus. Drive C:\ to you. Windows (98% of the time) is installed in hd(0,1) the first partition on the first hard drive of the first bus. The MBR lies on hd(0,0). EVERY OS uses a boot manager to load. This boot manager is usually put to the MBR hd(0,0). If you have a boot virus, you can't load Windows. For windows you want to look at the hidden file called boot.ini. Ghost has a few options. You would have to image the complete drive with all partitions. Not just the windows installation.

Press Windows-Key and R to get the run command dialog. Type notepad c:\boot.ini to take a look at what the boot loader does. You might see something like this -

Code:

[boot loader]
timeout=15
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

Forget the rest, been too long

By contrast, this is a couple of lines from one of Linux's boot loaders GRUB looks like

Code:

title  Arch Linux
root   (hd0,0)
kernel /boot/vmlinuz26 root=/dev/sda1 ro vga=794
initrd /boot/kernel26.img

Both a little cryptic if you haven't seen it before. www.google.com has some answers

[jimdagys]

I've been looking on Google about the master boot record. One method I see that is frequently mentioned is using the Xp disk and going into the Recovery console and type in fixmbr to repair the master boot record. Does this usually work if a virus damages the master boot record? Also, I thought a lot of new computers don't come with the Xp disk, only come with a recovery disk. In this case, how could you repair the master boot record (if you didn't have the Xp disk)?

[Abbadon]

I think the correct term is Master Boot Sector, not record, and looks like this:

0 1 2 3 4 5 6 7 8 9 A B C D E F
0000 FA 33 C0 8E D0 BC 00 7C 8B F4 50 07 50 1F FB FC .3.....|..P.P...
0010 BF 00 06 B9 00 01 F2 A5 EA 1D 06 00 00 BE BE 07 ................
0020 B3 04 80 3C 80 74 0E 80 3C 00 75 1C 83 C6 10 FE ...<.t..<.u.....
0030 CB 75 EF CD 18 8B 14 8B 4C 02 8B EE 83 C6 10 FE .u......L.......
0040 CB 74 1A 80 3C 00 74 F4 BE 8B 06 AC 3C 00 74 0B .t..<.t.....<.t.
0050 56 BB 07 00 B4 0E CD 10 5E EB F0 EB FE BF 05 00 V.......^.......
0060 BB 00 7C B8 01 02 57 CD 13 5F 73 0C 33 C0 CD 13 ..|...W.._s.3...
0070 4F 75 ED BE A3 06 EB D3 BE C2 06 BF FE 7D 81 3D Ou...........}.=
0080 55 AA 75 C7 8B F5 EA 00 7C 00 00 49 6E 76 61 6C U.u.....|..Inval
0090 69 64 20 70 61 72 74 69 74 69 6F 6E 20 74 61 62 id partition tab
00A0 6C 65 00 45 72 72 6F 72 20 6C 6F 61 64 69 6E 67 le.Error loading
00B0 20 6F 70 65 72 61 74 69 6E 67 20 73 79 73 74 65 operating syste
00C0 6D 00 4D 69 73 73 69 6E 67 20 6F 70 65 72 61 74 m.Missing operat
00D0 69 6E 67 20 73 79 73 74 65 6D 00 00 00 00 00 00 ing system......
00E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 01 ................
01C0 01 00 0B 7F BF FD 3F 00 00 00 C1 40 5E 00 00 00 ......?....@^...
01D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA ..............U.
0 1 2 3 4 5 6 7 8 9 A B C D E F

[disturbed1]

I think the correct term is Master Boot Sector, not record, and looks like this:

http://en.wikipedia.org/wiki/Master_boot_record

The Master Boot Record - MBR resides on the boot sector of the hard disc. Note, there is no such thing as an MBS

[Midzuki]

What if the boot sector is 512-byte long

[Abbadon]

I think the correct term is Master Boot Sector, not record, and looks like this:

http://en.wikipedia.org/wiki/Master_boot_record

The Master Boot Record - MBR resides on the boot sector of the hard disc. Note, there is no such thing as an MBS

Thanks, correction noted.

[Video Head]

I have been experimenting with downloading things from very dubious sources.

I like neomaine's mountain biking analogy. I would also liken it to seeing how far you can freefall before it kills you.

If you are not being paid to do this or conducting thesis material research for your Masters Degree in Computer Sciences you must be really, really bored or some kind of masochist. I certainly hope this is a purpose built test lab computer and not your personal machine loaded with personal data...

[redwudz]

If you really want to explore the 'dark corners' of the internet, you have to take a few more precautions. I would use a hardware router, a software firewall (I like Comodo), a decent antivirus like AVG or Avast (For freeware), SpyBot S&D, along with a program like SpyWare Blaster or ADware. Run the last ones frequently and keep all of them updated.

And be sure to keep your recovery media somewhere other than the computer. DVD data discs work fairly well. If you get a serious infection, repartition and reformat the boot drive before you install your backup.

Also back up any files you can't afford to lose on external media. Don't do any banking or credit card transactions on the computer if you can avoid it and if you have to, run a full malware scan before you even consider it.

.exe files are especially dangerous, but other files disguised as something innocuous can also contain malware. But even with all those anti-malware precautions and programs, if you run any program that is unknown to you, you've invited it in and it can bypass all your protection and you will likely have some damage.

[träskmannen]

Try using sandboxie along with the rest of the suggestions. It doesn't replace any of the other softwares, you need it all!

[jimdagys]

Redwudz, I am someone who needs a 1 (or 2) click solution. Restoring the C drive with Ghost DVD image is a very useful simple 2 click operation that I can handle. But you said, "repartition and reformat the boot drive before you install your backup.", How do you repartition and reformat the boot drive? Is that done with the repair console of the Windows disk? What if you don't have the Windows disk? (For example, how do I make a cd that will boot the computer and restore the boot sector.) I've looked on Google about this and am still confused. Are there any 1 click softwares that can help me do this? I have a cd drive on my computer, not a floppy drive. How can I get a cd that will start the computer and allow me to repartition and reformat the boot drive? My Ghost restore disk will boot the computer into Dos. But then it automatically restores the C drive. From what I've been reading, maybe I need to be able to restore the boot sector if I can't start Windows. Ghost Help doesn't seem to talk about the boot sector. I just assumed that restoring the C drive would restore the boot sector. Apparently not? The geek rhetoric on this topic is pretty high. Simple answers and directions that I can follow would be really helpful. Example of geek rhetoric is the above posting of the boot sector. Looks pretty, but if I print out that hexadecimal code and hold it in front of the computer when Windows won't start because of a corrupted boot sector, will that solve the problem?

[redwudz]

AFAIK, if you repartition and reformat, you restore the Master Boot Record. You can also obtain a Bart PE disc off the net or look for The Ultimate Boot CD and both should be able to repair and partition a hard drive when used with a CD drive to boot.

However, I would just keep one of those handy. Most times, just using Ghost should be enough if you really mess up the system. Probably mentioned somewhere in this thread, but I would also use Firefox instead of Internet Explorer as a browser. It's much more malware resistant than IE.

The Sandboxie program träskmannen mentions is also a good way to isolate your hard drive and OS from the 'nasties'. DL'd programs can be ran inside it without installing them in the OS. If they turn out to be malware, just delete them and they're gone.

[jimdagys]

Thank you for the useful reply. It seems that both Bart PE and The Ultimate Boot CD require you to "build" the boot cd that you will use when Windows won't start. The term "build" is a geek term if I ever saw one. Apparently you need to "build" your own cd due to copyright issues not allowing the finished cd be available. And you need your original Windows Xp install cd to build the boot cd. Some people don't have their original Xp cd. I am looking right now on the web to see if somebody has already graciously "built" a Bart PE cd, but I'm not sure if I can find that. I found one place that might have what I'm looking for, but says,"only for motherboard with AC97-codec."
I have no idea if my motherboard has a AC97-codec.
Another question, is there a software that I can use to image the boot sector (apparently, using Ghost to image C drive doesn't image the boot sector) so that when my boot sector is corrupted, all I have to do insert the restore disk to restore the boot sector to its original? It seems that would be an easy solution.