http://forums.windrivers.com/showpost.php?p=451231&postcount=4

http://www.pcmag.com/article2/0,1759,1644027,00.asp

I do have the "twunk_32.exe" file, as well as "twunk_16.exe" and some other bad executables, so I know I have this. Also, my computer runs slowly and will sometimes just freeze. I have used Ewido free trial, free AVG, McAfee, Spybot, HijackThis, and Adaware to try fixing it. They don't find anything. Then I find the problem files when I look through my files.

It spreads to every computer on my network. I have reformatted all of them and it is still alive.

Two of these PCs are desktops, one is a laptop. I know how to take the case off a desktop, but not how to take one apart and put it back together again. I know absolutely nothing about taking apart laptops, though I imagine they can't be too different, just a lot smaller.

What do I need? I need easy-to-follow instructions on how to do this.

I think NooNoo must have been feeling over-diligent when she wrote all of that lot - that's very paranoid indeed ! But Boot sector/Cmos Viruses are tricky suckers :rolleyes: (or should that be an F in that last word ? :D)

I think what I'd say to try is, getting myself a bootable virus scanner* & see what that's got to say about matters/helps any - it should at least hopefully manage to alert you if you really do have a bootsector virus or something lodged in cmos that we need to kill to prevent re-infection (Saves any taking to bits for just now, until we are sure we need to ;))

* for this, I'd say make yourself a bootable 98 floppy on an uninfected machine & then download F-prot for Dos - you can find stuff for both of those here (http://www.bootdisk.com) or google :).

I'm using Windows XP, shouldn't I get an XP floppy?

If not, I don't have any earlier version of windows. I think this guide has the files needed for making a bootable 98 floppy, though. Ctrl + F "MAKE A BOOTDISK" to see the one I'm talking about:

http://www.bootdisk.com/readme.htm#howto

I'm using Windows XP, shouldn't I get an XP floppy?


Floppy disks made by xp won't boot - you can't fit the files you need to handle NTFS all on one floppy disk (needs 3 & takes ages to make & to boot) - A 98 boot floppy boots you to dos & is much quicker, & then F-prot for dos will then fit onto that and another floppy disk, so that you can run everything from there :)

Windows 98 (http://www.troyedwards.com/downloads/BootDisks/boot98.exe) (that's just nicked from bootdisk.com - they seem to have removed the wording which tells you its an 'exe' that'll make you a floppy in the right format & with the right files to boot, just as if you made it on a 98 machine)

Now, I've just realised, you've re-installed all these o/s's & I set off answering this as if there was nothing on 'em ! Arrrrgh ! :knife:
..please tell me that these installs are on FAT32 & not ntfs (you can choose either for an xp install, but the default choice is NTFS) -else we need a new tack, or I'm gonna have to talk you through how to use some utility to read NTFS from dos ..

When I reinstall, I'm not sure how to get FAT32, I only saw an option for NTFS, so I did that. I have no problem with reformatting and just not installing an OS over it, though. That would make it like there was nothing on them, which is what you were explaining for, right? Would that make it easier?

... I have no problem with reformatting and just not installing an OS over it, though. That would make it like there was nothing on them, which is what you were explaining for, right? Would that make it easier?

Using the method I was intending, much ! .. however I just had second thoughts - do you have access to some 'clean' machine with a cd burner ? Something like the ultimate boot cd (http://www.ultimatebootcd.com/) has everything we need & its free ;) (if you don't we still also need a LLF {low level format utility} as format is a bit like ripping the index out of book, & what we actually need is tippex all over the pages so that we can't read anything that might've been there before whatsover - again bootdisk.com (http://www.bootdisk.com) has some of those it its utility section, or use the appropraite one for your make of drive -as all manufacturers have those freely available for download)

I'm still not so sure you aren't re-infecting yourself somehow, as boot/cmos viruses are pretty un-common & the one you seem to have identified, I can't find trace of as a boot/cmos variant - only a windows bourne virus, so lets just do one machine first & get that up & going 'clean' - as much as a test as anything .. I think I'd use one of the desktops for this, just incase it really is some boot/cmos virus & we have to resort to taking the machine to bits, as that'll be easier than experimenting on a laptop.

Actually, I've got another computer that is never used online, just in case something should happen to the others and we'd need one that didn't have any problems.

I don't think I'm reinfecting myself, I just reinstalled some AV programs I backed up, like AVG free, SB:S&D, AW and HJT, allowed them to update, and then scanned. They all found stuff. o.o;

I will say that one of the problems with this kind of virus is that its specifically attacking Anti-virus stuff so I'd be most leery about any backups you may have made, as you may well have had infection at the point you made 'em ..

You need to be really sure that you aren't re-infecting yourself, or we'll just go around & around, & 'from over here' its impossible for me to advise, all I can do is take your word for it ..

Hm. Good point. I'll try reformatting, and then redownloading the AV software instead of reinstalling it.

fdisk it before you reformat and run fdisk /mbr to make sure there's no corruption in the master boot record...

I have no idea how to "fdisk" something, or even what "fdisk" means. :\

"fdisk" is the DOS Fixed Disk partitioning utility, FDISK.EXE

It's primitive, but allows you to delete the existing partition information and re-establish new partitions. This process deals only with the Partition Table, but you can also run FDISK with the /MBR switch (thus: FDISK /MBR) to write a standard Master Boot Record into the boot sector of the drive. This is usually sufficient to overwrite the code of a boot sector virus thus eliminating it.

Using a zero-fill utility to clear the entire user area of the drive is the thorough (but much more time consuming) way to go.

More significant is the fact that a boot sector virus comes from somewhere originally, hence the emphasis on scrupulously checking all disks, backups etc that have been associated with the affected system. Regardless of the cleanup process utilised, if an infected disk is accessed by the system, the virus can immediately re-infect.

So, I restart my computer, press F8, start in DOS, then type in "FDISK.EXE /MBR" and hit enter? o.O

That was an excellent explanation of the process Platypus. :thumbs:

and yes, grew7, just type in fdisk /mbr at a Dos prompt like you mentioned. The results will be unoticable I might add. The screen may blink but there is no conformation that the boot sector has been rewritten. It just one of those 'mystical' Dos things. :)

So, I restart my computer, press F8, start in DOS, then type in "FDISK.EXE /MBR" and hit enter? o.O


I wasnt aware that windows xp could be started in dos by clicking on f8..you can get a command prompt, but thats it..also, Microsoft specifically says to avoid using fdisk /mbr to treat a boot sector virus..fdisk /mbr and fixmbr only affect the mbr, and not the partition table.
Avoid Using the Fdisk /mbr Command to Treat Viruses
Do not depend on the MS-DOS command Fdisk /mbr, which rewrites the MBR on the hard disk, to resolve MBR infections. Many newer viruses have the properties of both file infector and MBR viruses, so restoring the MBR does not solve the problem if the virus immediately reinfects the system. In addition, running Fdisk /mbr in MS-DOS on a system infected by an MBR virus that does not preserve or encrypt the original MBR partition table permanently prevents access to the lost partitions. If the disk was configured with a third-party drive overlay program to enable support for large disks, running this command eliminates the drive overlay program and you cannot start up from the disk.


here is microsofts take on cleaning boot sector or mbr viruses on xp (http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prkd_tro_oxhc.asp)

Nice find geoscomp. I wasn't aware of that.

So, I restart my computer, press F8, start in DOS, then type in "FDISK.EXE /MBR" and hit enter? o.O

Well no, actually I was continuing the line of thought already being followed, using a boot floppy disk to do a clean format. The boot disk would have several utilities on it including FDISK.EXE and FORMAT.EXE

As both myself and geoscomp have indicated, if the system is infected with a boot sector virus, accessing any disk that itself has the infection can re-instate the boot virus immediately. This includes the system drive - if the virus is a combined boot sector & file infector, as soon as the system runs the boot sector can be re-infected from a startup file.

The real point of a "paranoia" re-format is that the infection could be coming from anywhere, so you're attempting to cover all bases. To go as far as removing parts from the system is mostly to address the user's paranoia! But a cold re-format (preferably with a zero-fill) from a write-protected, known virus free boot disk followed by scrupulous inspection of all backups and disks that could be used in the system, is sound practice for recalcitrant infections.

A cold start (booting straight from the floppy disk when the system has been disconnected from the mains for a period), prevents some techniques used to survive a reboot. Then using fdisk & a reformat may be enough to eliminate the infection from the drive but doesn't qualify as a paranoia re-format, a zero fill (repeated if you wish to be super careful) should definitely do it.

That doesn't address the possibility of one of the rare BIOS infecting viruses, the paraniod response here is to re-flash the BIOS (or re-load from the reserve BIOS on a dual-BIOS board) and if possible use a board that has a hardware jumper to physically enable/disable writing to the BIOS EEPROM.

As geoscomp's link explains, there can be some potential problems with using FDISK /MBR without a re-format. Maybe the most serious could be if the drive has an encrypting stealth boot sector virus. This encrypts the boot sector and hides a copy of the real boot sector somewhere on the hard drive - the drive can only be accessed if the virus is active in memory to show the real boot sector to the system. The only indication of this may be an inaccessible drive when booting from a floppy disk, and FDISK reporting strange Non-DOS partitions. If your drive is using NTFS so you don't expect FDISK to report DOS partitions anyway, you may think this is just an odd NTFS installation or a corrupted boot sector. If you try to fix it with FDISK /MBR or FIXMBR from the Recovery Console, the contents of the drive can be rendered inaccessible.

Yikes. o.o

Another thing I noticed, is that AVG found a virus in C:\System volume information\restore{numbers and letters}\RP5. It did not say it removed the virus, and I cannot open System Volume Information. For some reason, it says access is denied.

I have not used fdisk and format since moving to XP and ntfs partitions since they are dos based utillities
To get that system clean I would get the Ultimate boot cd which I use for wiping systems that come on my bench
Then I would wipe the drive with a zero fill , And If I was concerned about the bios being infected, I would get the latest bios for the motherboard and flash it
Once that was done I would set up my bios/cmos , Then install XP using my factory cd or my customized scripted install cd
Another thing a recommend is getting a router/firewall device between yout computers and the Internet
I use the Linksys wart54g , A hub or a switch is not a router/firewall device , they can be used in conjunction to expand your network up to 253 computers

Heres a good example, I reloaded my sister's compaq with Win me and within 20 minutes at their house they were loaded with a few hundred copies of a virus, They had two antivirus programs installed and running

The machine ran fine for hours behind my firewall, It did not even have an antivirus program until I installed two of them , I goofed up I only run one antivirus program normally
Software fire walls are OK but take cpu cycles and that is not good for games
So go on get your self a nice hard ware firewall, MY sisters PC is still running strong with the firewall in place and of course ONE antivirus program

Yikes. o.o

Another thing I noticed, is that AVG found a virus in C:\System volume information\restore{numbers and letters}\RP5. It did not say it removed the virus, and I cannot open System Volume Information. For some reason, it says access is denied.

Turn off system restore and defrag the computer before trying to remove anything..leaving system restore active will only restore infected files.