Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

virus.boot.nowrite [Closed]

nowrite boot harddisk dr1 boot.nowrite

  • This topic is locked This topic is locked

#1
onedailyguy

onedailyguy

    Member

  • Member
  • PipPip
  • 18 posts

I'm running windows 7.  Kaspersky. I got a virus from a flash drive.  Once I connected the drive, the virus blew right past the auto detect, auto scan feature of Kaspersky and somehow installed itself.  The name is virus.boot.nowrite.   I ran scans using Kaspersky, Malwarebytes, Lavasoft, super spyware and Dr. Webb.  Kaspersky and Dr Webb detected it, but cannot remove or fix it.  I searched online and could not find any removal info.  Only read that to remove a "boot.nowrite" virus, the hard drive has to be wiped clean.  According to Kaspersky, the object is located on \device\harddisk1\dr1.  Can someone please help me remove it?  Thanks so much.


  • 0

Advertisements


#2
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi there could you post either the Kapsersky or DrWeb log please

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • Select both shortcut and additions at the bottom
  • Press Scan button.
    frst.JPG
  • It will produce a log called FRST.txt in the same directory the tool is run from.
  • Please attach all 3 logs generated.

  • 1

#3
onedailyguy

onedailyguy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts

Essexboy, thank you for the reply.  I just wanted to confirm that I read your post.  Please give me about 24hrs to post back the requested logs.  By this time tomorrow, I should have finished them.  Thanks again.


  • 0

#4
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
No problem, I have never come across this before and there is little data on it ... So it could be quick or drawn out
  • 0

#5
onedailyguy

onedailyguy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts

OK, the Dr Web "cureit" log is 2.6mb which cannot be uploaded.  Do you want me to past it directly into the message box?  It is extremely long.  As for the Kaspersky log, I cant find it.  Can you tell me where to look?  I'll start on the log from the program u requested now.


  • 0

#6
onedailyguy

onedailyguy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts

The Farbar scan is in process.  Once its complete Ill post the 3 logs.


  • 0

#7
onedailyguy

onedailyguy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts

Here are the Farbar logs

Attached Files


  • 0

#8
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts

OK not a great deal showing there, could you upload the log to a file sharing site like Mediafire and post the sharing link and I will download it

Download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application
    tdss%20start.JPG
  • Then click on Change parameters.

    tdss%20Change%20param.JPG
  • Check the boxes beside Verify Driver Digital Signature, Detect TDLFS file system and Use KSN to scan objects , then click OK.
  • Click the Start Scan button.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.

    tdss%20threat.JPG
  • If malicious objects are found, they will show in the Scan results and offer three (3) options.
  • Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
  • Get the report by selecting Reports

    tdss%20report.JPG
  • Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

Please copy and paste its contents on your next reply.


  • 0

#9
onedailyguy

onedailyguy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts

I ran TDSS and it didn't find the threat.  So there's no report to post.  I'll run Kaspersky regular scan again and send you that report. Maybe that will be more helpful.   I double checked Dr Web and in fact I didn't see this boot.nowrite on it.  I ran the dr web scan about 2 months ago and thought it had found the virus. (I've been living with this virus for about 2 months because I just haven't had time to finally try to remove it.  I know the removal process can take weeks.) 


  • 0

#10
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts

Yes if you could send the report it will give me a feel for other tools that I could use


  • 0

Advertisements


#11
onedailyguy

onedailyguy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts

Ok, so I ran a FULL scan of Kaspersky, and incredibly, unbelievably, the scan found no threats. (I believe the old scan report from 2 months ago, which definitely showed the threat, has been erased as I searched the full computer for the log and found nothing and then I checked the Kasp settings and it's set to delete reports after 30days).  I say it's unbelievable because Kaspersky has definitely found it and cannot fix it.  I'm sending 2 screen shots proving this.  These screen shots are the best I have now to show you what I'm dealing with.  When I click on "fix", nothing happens, literally. I hope these screen shots help.  Just let me know if you need anything else.

Attached Thumbnails

  • Virus screen shot 1.PNG
  • Virus screen shot 2.PNG

  • 0

#12
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts

The MBR appears to be clean from the FRST report, but lets use another MBR analysis tool to check it out.   Are you experiencing any symptoms at all ?

 

This is hard drive dr1 Partition 1: (Not Active) - (Size=13 GB) - (Type=27)  It looks like the recovery partition

 

 

Download aswMBR.exe ( 4.5mb ) to your desktop.
 Double click the aswMBR.exe to run it  Click the "Scan" button to start scan 

AswMBR%20scan.JPG

On completion of the scan click save log, save it to your desktop and post in your next reply

 


  • 0

#13
onedailyguy

onedailyguy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts

Sorry for the delay.  This virus, according to the Kasp info, seems really old so I can't beleive that I haven't been able to find any info out there on this thing.  After 14 years, I would think it would be easy to fix/get rid of.

 

I haven't actually been noticing many symptoms.  Maybe the computer has been running a bit slower, and my hard drive seems slightly fuller than I had expected (I remember having about 100gb out of 240bg free, and currently i have 44gb free and I don't remember having put 55gb of files on the computer, but I could simply have a really bad memory.)  But otherwise, the computer is still acting about the same.  I'm mostly concerned this virus could: permanently be hurting the computer;  will destroy/corrupt files or make them unusable; compromise sensitive info such as passwords, bank info, etc; spread to my other computers via flash drives and thereby cause the same problems on those computers.  If Kasp has found it, I don't understand why it can't fix it.

 

So attached is the log you asked for.  Thanks again for all your help.

Attached Files


  • 0

#14
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
I think we are looking at a false positive here on the part of Kaspersky, this would explain it no longer detecting it. Plus a 14 year old bit of malware is positively ancient as far as the MBR is concerned

AswMBR also see the recovery partition but, it has no problem with it

18:06:24.422 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 13312 MB offset 2048
  • 0

#15
onedailyguy

onedailyguy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts

What is a "boot.nowrite" type of virus?  Anything different from other types of viruses?


  • 0






Similar Topics


Also tagged with one or more of these keywords: nowrite, boot, harddisk, dr1, boot.nowrite

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP