[onedailyguy]

I'm running windows 7.  Kaspersky. I got a virus from a flash drive.  Once I connected the drive, the virus blew right past the auto detect, auto scan feature of Kaspersky and somehow installed itself.  The name is virus.boot.nowrite.   I ran scans using Kaspersky, Malwarebytes, Lavasoft, super spyware and Dr. Webb.  Kaspersky and Dr Webb detected it, but cannot remove or fix it.  I searched online and could not find any removal info.  Only read that to remove a "boot.nowrite" virus, the hard drive has to be wiped clean.  According to Kaspersky, the object is located on \device\harddisk1\dr1.  Can someone please help me remove it?  Thanks so much.

[Advertisements]

Hi there could you post either the Kapsersky or DrWeb log please

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

• Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
• Select both shortcut and additions at the bottom
• Press Scan button.
  
• It will produce a log called FRST.txt in the same directory the tool is run from.
• Please attach all 3 logs generated.

[Essexboy]

Hi there could you post either the Kapsersky or DrWeb log please

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

• Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
• Select both shortcut and additions at the bottom
• Press Scan button.
  
• It will produce a log called FRST.txt in the same directory the tool is run from.
• Please attach all 3 logs generated.

[onedailyguy]

Essexboy, thank you for the reply.  I just wanted to confirm that I read your post.  Please give me about 24hrs to post back the requested logs.  By this time tomorrow, I should have finished them.  Thanks again.

[Essexboy]

No problem, I have never come across this before and there is little data on it ... So it could be quick or drawn out

[onedailyguy]

OK, the Dr Web "cureit" log is 2.6mb which cannot be uploaded.  Do you want me to past it directly into the message box?  It is extremely long.  As for the Kaspersky log, I cant find it.  Can you tell me where to look?  I'll start on the log from the program u requested now.

[onedailyguy]

The Farbar scan is in process.  Once its complete Ill post the 3 logs.

[onedailyguy]

Here are the Farbar logs

Attached Files

•  Addition.txt   40.52KB   255 downloads
•  FRST.txt   37.79KB   337 downloads
•  Shortcut.txt   575.26KB   215 downloads

[Essexboy]

OK not a great deal showing there, could you upload the log to a file sharing site like Mediafire and post the sharing link and I will download it

Download the latest version of TDSSKiller from here and save it to your Desktop.

• Doubleclick on TDSSKiller.exe to run the application
  
• Then click on Change parameters.
  
  
• Check the boxes beside Verify Driver Digital Signature, Detect TDLFS file system and Use KSN to scan objects , then click OK.
• Click the Start Scan button.
• If a suspicious object is detected, the default action will be Skip, click on Continue.
  
  
• If malicious objects are found, they will show in the Scan results and offer three (3) options.
• Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
• Get the report by selecting Reports
  
  
• Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

Please copy and paste its contents on your next reply.

[onedailyguy]

I ran TDSS and it didn't find the threat.  So there's no report to post.  I'll run Kaspersky regular scan again and send you that report. Maybe that will be more helpful.   I double checked Dr Web and in fact I didn't see this boot.nowrite on it.  I ran the dr web scan about 2 months ago and thought it had found the virus. (I've been living with this virus for about 2 months because I just haven't had time to finally try to remove it.  I know the removal process can take weeks.) 

[Essexboy]

Yes if you could send the report it will give me a feel for other tools that I could use

[onedailyguy]

Ok, so I ran a FULL scan of Kaspersky, and incredibly, unbelievably, the scan found no threats. (I believe the old scan report from 2 months ago, which definitely showed the threat, has been erased as I searched the full computer for the log and found nothing and then I checked the Kasp settings and it's set to delete reports after 30days).  I say it's unbelievable because Kaspersky has definitely found it and cannot fix it.  I'm sending 2 screen shots proving this.  These screen shots are the best I have now to show you what I'm dealing with.  When I click on "fix", nothing happens, literally. I hope these screen shots help.  Just let me know if you need anything else.

Attached Thumbnails

• 
• 

[Essexboy]

The MBR appears to be clean from the FRST report, but lets use another MBR analysis tool to check it out.   Are you experiencing any symptoms at all ?

 

This is hard drive dr1 Partition 1: (Not Active) - (Size=13 GB) - (Type=27)  It looks like the recovery partition

 

 

Download aswMBR.exe ( 4.5mb ) to your desktop.
 Double click the aswMBR.exe to run it  Click the "Scan" button to start scan 

On completion of the scan click save log, save it to your desktop and post in your next reply

 

[onedailyguy]

Sorry for the delay.  This virus, according to the Kasp info, seems really old so I can't beleive that I haven't been able to find any info out there on this thing.  After 14 years, I would think it would be easy to fix/get rid of.

 

I haven't actually been noticing many symptoms.  Maybe the computer has been running a bit slower, and my hard drive seems slightly fuller than I had expected (I remember having about 100gb out of 240bg free, and currently i have 44gb free and I don't remember having put 55gb of files on the computer, but I could simply have a really bad memory.)  But otherwise, the computer is still acting about the same.  I'm mostly concerned this virus could: permanently be hurting the computer;  will destroy/corrupt files or make them unusable; compromise sensitive info such as passwords, bank info, etc; spread to my other computers via flash drives and thereby cause the same problems on those computers.  If Kasp has found it, I don't understand why it can't fix it.

 

So attached is the log you asked for.  Thanks again for all your help.

Attached Files

•  aswMBR onedailyguy.txt   1.87KB   229 downloads

[Essexboy]

I think we are looking at a false positive here on the part of Kaspersky, this would explain it no longer detecting it. Plus a 14 year old bit of malware is positively ancient as far as the MBR is concerned

AswMBR also see the recovery partition but, it has no problem with it

18:06:24.422 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 13312 MB offset 2048

[onedailyguy]

What is a "boot.nowrite" type of virus?  Anything different from other types of viruses?