Boot Sector Virus proves challenging – and yet not challenging

So, a repeat client of mine came across the good ‘ol Sinowal virus. (read about it here). He switched over to a different antivirus, one provided by his ISP, namely F-secure. F-Secure began popping up alerts that he had this boot record virus.

(before F-Secure, he was using Avast! antivirus. Oh, how far Avast has fallen…. It used to be my favorite)

Not knowing what to do for sure, he called The Restore Store. Before calling me, he called the ISP, since they were the ones providing the A/V that detected it. They said he was hosed and it was serious. I concurred.

I had read a lengthy article a while ago about the nature of this virus, Sinowal, aka mebroot.

F-Secure wasn’t offering to remove the MBR virus, only indicating that it was there. I did some research and, after doing a thorough backup, began to apply the tools commonly used to deal with this virus.

The problem was, nothing was detecting it. F-Secure was adamant it was there, but “official” sinowal hunting mbr scanning tools were saying everything was fine.

Was it a false positive? Doubtful, F-Secure is a good outfit, but still…

I booted to a recovery console and used “fixboot” and “fixmbr” to no avail. Thinking it was a false positive even more.

Growing frustrated I disabled F-Secure and installed Avira. Avira immediately hit on it and I now had corroboration.  Avira did not offer to remove it.

Since Microsoft Security Essentials is my favorite A/V at the moment I removed Avira and installed that. A quick scan by MSE revealed sinowal as well.


And, MSE offered to remove it. BONUS!

I removed the sucker and uninstalled MSE. I rebooted the machine and F-Secure, which was still there, did not indicate the virus was back.

I am now proceeding to do a thorough hard drive scan to make sure the drive is sound, as it is an older machine. Then, I will “nuke and pave” and do a clean install of windows. I have my DBAN cd out, ready to go. Probably not necessary, I may not use it…

I think I’ll be putting on MSE, the customer can put on F-Secure if he wishes, but for me MSE earned it’s keep again today.

Side note: I had the pleasure of removing Norton 360 along with a truckload of viruses that were on a system today, restoring the simple ability of accessing the internet. I’ve also had the pleasure of removing various abominations from McAfee this week as well.

The feel of the system after simply removing McAfee is analogous to driving a small truck after just having been towing an overloaded trailer with it. It feels light, sporty, responsive, like a whole new machine ready to spring into action with the slightest touch… It’s exhilirating. Almost a high for me. Am I becoming addicted to removing norton and mcafee? Hmmm…..


Leave a comment

No comments yet.

Comments RSS TrackBack Identifier URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

  • Calendar

    • July 2010
      M T W T F S S
      « Jun    
  • Search