Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Quest for BOOT SECTOR confidence


  • Please log in to reply
2 replies to this topic

#1 winst0n

winst0n

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:23 PM

Posted 21 August 2009 - 09:53 PM

Anyone try any tools to examine / verify boot sectors with some translation from machine to human readable?

I won't be trying windows for a while ...

21265 was the final virus count from Klam.
I went and erased whole directories of HTML files.
Klam Anti-Virus has found 3 "broken executables" in the Linux File System that I am inclined to leave.
(it's libfglrx_ip.a.GCC4 that was updated twice).
Before I attempt another Windows distribution I would like to obtain BOOT SECTOR confidence.
I'm still a ways away from looking at raw Hex dumps.
I've been fiddling with partitions a little and some unexpected things have been happening.
I've been getting Physical/Logical discrepancies.

Something that was infected is making me think a different win distro may be necessary:

Has anyone ever heard of a reason for a "USB" folder that does not correspond to an actual flash drive?
What I have COULD be legitimate but I am concerned that virus activity either independently, or packaged with my Windows distribution may be the cause.

winston@ubuntu-9-04:/media$ ls
cdrom disk floppy ntfsdisk USB\040DISK
cdrom0 disk-1 floppy0 RED\0402GB WHITE-DT-8G

winston@ubuntu-9-04:/media$ cd USB\ DISK
bash: cd: USB DISK: No such file or directory
winston@ubuntu-9-04:/media$ cd USB*
winston@ubuntu-9-04:/media/USB\040DISK$ ls
boot.bin DOCS $OEM$ syslinux.cfg VALUEADD WIN51IP
boot.catalog I386 README.HTM ubnfilel.txt vesamenu.c32 win51ip.SP3
cmpnents OEM SUPPORT ubnpathl.txt WIN51
winston@ubuntu-9-04:/media/USB\040DISK$ cd \$OEM\$
winston@ubuntu-9-04:/media/USB\040DISK/$OEM$$ ls
$$ $Docs
winston@ubuntu-9-04:/media/USB\040DISK/$OEM$$ cd \$\$
winston@ubuntu-9-04:/media/USB\040DISK/$OEM$/$$$ ls
OEMDIR Resources system32 Web
winston@ubuntu-9-04:/media/USB\040DISK/$OEM$/$$$


At one point I was trying to make a bootable Flash from the distro so it may be some kind of buffer folder that I can erase.
I will cross-post in a Linux Forum.

BC AdBot (Login to Remove)

 


#2 winst0n

winst0n
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:23 PM

Posted 22 August 2009 - 11:20 PM

Sorry about posting without the DDR or DDS or the other log.
But I ran the second scan and Klam said it's clean.
So I think I've got some Avira tools to run.
It's been a couple of days so these notes become notes to self for me to back-reference.

I know no matter what I do apart from wiping my drives is "certifiable" advice.
That being said does anyone have any recommendations for BOOT SECTOR tools?

I found a very technical document laying out the address particulars of FAT32.

Microsoft Extensible Firmware Initiative FAT32 File System Specification
FAT: General Overview of On-Disk Format

Version 1.03, December 6, 2000
Microsoft Corporation


The FAT (File Allocation Table) file system has its origins in the late 1970s and early1980s and was the file system supported by the Microsoft® MS-DOS® operating system.


slightly grokable bit here:

General Comments (Applicable to FAT File System All Types)
All of the FAT file systems were originally developed for the IBM PC machine architecture. The importance of this is that FAT file system on disk data structure is all “little endian.” If we look at one 32-bit FAT entry stored on disk as a series of four 8-bit bytes—the first being byte[0] and the last being byte[4]—here is where the 32 bits numbered 00 through 31 are (00 being the least significant bit):

byte[3] 3 3 2 2 2 2 2 2
________1 0 9 8 7 6 5 4

byte[2] 2 2 2 2 1 1 1 1
________3 2 1 0 9 8 7 6

byte[1] 1 1 1 1 1 1 0 0
________5 4 3 2 1 0 9 8

byte[0] 0 0 0 0 0 0 0 0
________7 6 5 4 3 2 1 0

This is important if your machine is a “big endian” machine, because you will have to translate between big and little endian as you move data to and from the disk.

A FAT file system volume is composed of four basic regions, which are laid out in this order on the volume:
0 – Reserved Region
1 – FAT Region
2 – Root Directory Region (doesn’t exist on FAT32 volumes)
3 – File and Directory Data Region


From here I'll need to get into Assembly unless I can find a good BOOT SECTOR tool.
Got some stuff on the Universal Boot CD.
Once again I'll cross post on a linux forum.

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,964 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:23 AM

Posted 25 August 2009 - 01:38 PM

Two experts have already responded to your various topics and advised your system was infected with Virut, a polymorphic file infector with IRCBot functionality which infects .exe, .scr files, downloads more malicious files to your system, and opens a back door that compromises your computer.

As already noted by those experts, Virut is not effectively disinfectable and your best option is to perform a full reformat as there is no guarantee this infection can be completely removed.

If you insist on trying to fix this infection instead of following our advice to reformat and reinstall your operating system, there are various rescue disks available from major anti-virus vendors which you can try. Keep in mind, even the vendors like Kaspersky say there is no quarantee that some files will not get corrupted during the disinfection process. In the end most folks end up reformatting out of frustration after spending hours attempting to repair and remove infected files. IMO the safest and easiest thing to do is just reformat and reinstall Windows.

Bleeping Computer DOES NOT assume any responsibility for your attempt to repair this infection using any of the following tools. You do this at your own risk and against our advice.

These are links to Anti-virus vendors that offer free LiveCD or Rescue CD utilities that are used to boot from for repair of unbootable and damaged systems, rescue data, scan the system for virus infections. Burn it as an image to a disk to get a bootable CD. All (except Avira) are in the ISO Image file format. Avira uses an EXE that has built-in CD burning capability.If you are not sure how to burn an image, please read How to write a CD/DVD image or ISO. If you need a FREE utility to burn the ISO image, download and use ImgBurn.

Note: In order to use a rescue disk, the boot order must be set to start from the CD-ROM drive. If the CD is not first in the boot order, the computer will attempt to start normally by booting from the hard drive. The boot order is a setting found in the computer’s BIOS which runs when it is first powered on. This setting controls the order that the BIOS uses to look for a boot device from which to load the operating system. The default will normally be A:, C:, CD-ROM. Different computers have different ways to enter the BIOS. If you're not sure how to do this, refer to:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users