Sinowal.C survives formatting

July 9, 2009 at 10:18:52
Specs: Windows XP
I had a virus alert some days ago. Posted a message here and got the invaluable help of neoark. To make the story short, the tool mbr.exe found the Sinowal virus in my master boot sector. After trying several tools, I decided to format the disk.
All becomes weird now. First, I have deleted all the partitions and created them again. This was done with the Win XP installation disk. Then I have formatted C: (normal formatting, not the quick one).
I have installed XP, plus the main drivers. As soon as the network was on, I have downloaded mbr.exe -- and it has found "malicious code" again.
So -- I unplug the network cable from the PC, boot from CD with Magic Part (a linux tool). I delete all the NTFS partitions, including an 8 MB partition used by XP; I replace them with ext2 partitions, format them. Then I boot again with the XP CD on (network still unplugged), re-partition, re-format, re-install XP. From another computer (not infected, at least according to mbr.exe and to AVIRA) I burn a CD with mbr.exe, then I load mbr on the pc I've just formatted and I get again a log stating that there is malicious code at such and such a sector. And the network cable is still unplugged (I am posting from the sound pc).
This is SO much frustrating!
Could it be a false positive? But neoark had a copy of the old boot sector analyzed and sveral antivirus programs detected Sinowal in there! -- could I have something in my HD that is harmless but is recognized as a virus? Or does the virus survive re-partitioning and formatting?

See More: Sinowal.C survives formatting

Report •


#1
July 9, 2009 at 11:19:57
My guess is you have never spent the time to discover HOW your computer actually works. If you had "master boot sector" would have told you the answer!

Not to go into extreme detail:

Basicly when you first turn your computer on it has no idea what to do, it looks for instructions.

The ONLY instructions it can find is in your "boot sector", which happens to be the same place the virus is hiding!

Formatting will not make it go away. It is not on your hard drive.

It is permanantly written in your BIOS (Basic Input Output System).

The only way to get rid of it is to "Flash Your BIOS", basicly replace the set of instructions you now have.

_________________________
Embrace paranoia, they ARE out to get you!


Report •

#2
July 9, 2009 at 11:39:39
lol bios? http://en.wikipedia.org/wiki/Master... ... Did you do a complete format of your hardrive (re partition it)?

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#3
July 9, 2009 at 12:02:42
@ neoark: yes I did, several times. Btw, I read somewhere that the first 512 k (is that MBR?) in a hard disk are not affected by formatting. If this is true, removing the virus might be harder than it seemed. It seems quite weird to me that Microsoft -- or perhaps Maxtor itself -- should not produce some software for rewriting the MBR.
@ martin crandall: thank you for your kind advice. My advice is that you think *before* writing.

Report •

Related Solutions

#4
July 9, 2009 at 12:05:47
Well, perhaps all I had to do was to start the recovery console and type fixboot and/or fixmbr? I'll try...

Report •

#5
July 9, 2009 at 12:18:38
Try kaspersky again it might help: http://devbuilds.kaspersky-labs.com... I will have to look into it not sure how it affects MBR.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#6
July 9, 2009 at 12:28:46
Sorry, I'm a bit sleepy, I've edited instead of replying ;-) Well, perhaps all I had to do was to start the recovery console and type fixboot and/or fixmbr before a new re-partition and format? -- This time this might kill the last instance of the virus... I'll try both this and the Kaspersky link, but it is going to take a while because I have to reinstall all the drivers!
See you later, and thank you very much!!

Report •

#7
July 10, 2009 at 10:38:06
OK, I've tried everything and it's still there. I have read an extensive analysis of Sinowal:
http://web17.webbpro.de/index.php?p...
and
http://web17.webbpro.de/index.php?p...
It turned out that the virus has very many variants and copies itself in several places in the hard disk. Thus, what is your advice about following this procedure:
(1) boot from Linux Live CD, load Linux tool, delete all partitions including Windows 8 MB partition for XP use;
(2) completely erase disk by writing zeroes; -- only ONE copy of the virus should be left, that is, the one in MBR;
(3) boot from XP installation disk; start recovery console, FIXMBR -- this should kill the last copy;
(4) reinstall and eventually run mbr.exe.
In case the bad guy is still there, how could I check whether mbr.exe is somehow fooled? I mean, could this be a "false positive"? I might perhaps copy the infected sector to a file and send it to some site for analysis, like neoark did?

Report •

#8
July 10, 2009 at 11:27:34
Did kaspersky detect it?

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#9
July 10, 2009 at 15:04:54
Yes, it did --- but I have eventually SUCCEEDED!!!!
It's very late now in my part of the world, and I have to get up early tomorrow, but I'll come back asap to give more details. It was difficult to remove the virus, and the procedure I've followed might be useful to someone else who has run into the same prob...
For the moment, LOTS OF THANKS to neoark, both for your advice and for sharing the burden as it were!!

Report •

#10
July 12, 2009 at 11:04:35
OK, this is the procedure I have followed:
(1) Boot from CD of magic part (this is a free linux tool; many others can be used in its place)
(2) Delete all partitions on HD, so that all the HD space is a big unpartitioned area. Remember to apply the changes. (This is a critical step: from the XP installation CD you have no way to format or delete the 8 MB unpartitioned area at the end of your disk, and it is exactly there that the virus puts a copy of itself.)
(3) Completely erase disk contents; several procedures are possible. Try internal erasing, then the "dd" one -- it writes zeroes on all the disk, except the MBR! (this takes more or less one hour for 250 GB).
(4) At this stage, only one copy of the virus is left, that is, in the MBR (master boot record) of the HD. This can be removed by rebooting from the XP installation CD, entering the recovery console (R), typing "FIXMBR".
(5) However, what I did was a bit different: since I had an old Acronis image of the active partition of my HD, I booted from the Acronis 9 CD and restored the old partition (my hope was that Acronis 9 would also overwrite the MBR). I do not really know whether this step was effective or not -- I do not even know whether Acronis 9 overwrites the MBR (there is an MBR option in Acronis 10 but not in Acr.9). Only after restoring the image I rebooted from the XP installation CD, entered the recovery console by pressing "R" and typed "FIXMBR".
(6) As soon as you have installed XP again, run mbr.exe to check... (AND install a good antivirus AND make a user account with no administrative rights for normal use of your pc!)

Report •


Ask Question