Go Back   IceInSpace > Equipment > Software and Computers

Reply
 
Thread Tools Rate Thread
  #1  
Old 17-02-2024, 04:22 PM
Crater101's Avatar
Crater101 (Warren)
Mostly Harmless

Crater101 is offline
 
Join Date: Jul 2020
Location: Bathurst, NSW
Posts: 647
Boot Sector Virus? Windows PC.

Folks;

Looking for advice on this one. I think I may have a "boot sector" virus on my main PC (so I'm typing on my astro laptop at the moment).

My wife told me that she'd received a "spam" e-mail from my e-mail address, and she didn't open it because it had mis-spelled her name. Considering I hadn't had to send her anything in a while, I immediately ran a virus check on my machine.

I'm using ESET antivirus (paid version) running Windows 10. I use a VPN whenever I'm online. My machine is a few years old and is 64bit, with updates regularly installed. I use Zone Alarm as a firewall. I've used EST for many years with no issues.

Whenever I turn the PC on, as soon as windows starts up I get a message from my antivirus software saying that a particular web page - always the same one - has been blocked. Hmm. Yet when I ran a full scan of my machine using the program, no virus was detected. I then ran a second scan of the machine, hand picking things like system files or the registry, again, there's apparently no virus present. However if I go online with the machine, someone from my address book gets spammed.

I got a gremlin in there somewhere.

So while I think it may be a boot sector type virus, I'm open to suggestions, as well as any recommendations as to how to go about fixing the everlastingly-to-be-damned thing.



Reply With Quote
  #2  
Old 17-02-2024, 11:43 PM
ChrisD's Avatar
ChrisD (Chris)
Image, Stack, Repeat.

ChrisD is offline
 
Join Date: Apr 2021
Location: Melbourne
Posts: 236
Can you tell me the webpage blocked at bootup? That may be a clue.

Chris
Reply With Quote
  #3  
Old 18-02-2024, 03:37 PM
Crater101's Avatar
Crater101 (Warren)
Mostly Harmless

Crater101 is offline
 
Join Date: Jul 2020
Location: Bathurst, NSW
Posts: 647
The address that's being blocked - which ends in ".com" appears to be a random collection of numbers, letters and special characters that is quite lengthy. I'll try to get a snapshot of it.
Reply With Quote
  #4  
Old 18-02-2024, 04:27 PM
AstroViking's Avatar
AstroViking (Steve)
Registered User

AstroViking is offline
 
Join Date: Mar 2022
Location: Melbourne
Posts: 1,051
Technically, that's a Windows Start-Up infection, not a boot-sector virus.

Grab a copy of MalwareBytes and give your machine a scan with that.

Generally, the nasty has added something to either your Windows 'Start up Items' or the windows Registry (more sneaky) to run when the machine starts up.

V.
Reply With Quote
  #5  
Old 19-02-2024, 08:58 AM
Crater101's Avatar
Crater101 (Warren)
Mostly Harmless

Crater101 is offline
 
Join Date: Jul 2020
Location: Bathurst, NSW
Posts: 647
Quote:
Originally Posted by AstroViking View Post
Technically, that's a Windows Start-Up infection, not a boot-sector virus.

Grab a copy of MalwareBytes and give your machine a scan with that.

Generally, the nasty has added something to either your Windows 'Start up Items' or the windows Registry (more sneaky) to run when the machine starts up.

V.

That would explain why the virus scan didn't catch it.


My humble thanks! I'll chase that up and let you know how it goes.
Reply With Quote
  #6  
Old 20-02-2024, 05:31 PM
Crater101's Avatar
Crater101 (Warren)
Mostly Harmless

Crater101 is offline
 
Join Date: Jul 2020
Location: Bathurst, NSW
Posts: 647
OK, I got and ran a copy of Malware Bytes as suggested. It picked up two pieces of malware that I didn't know I had - my thanks - but the issue continues, so I'm open to suggestions.
Reply With Quote
  #7  
Old 20-02-2024, 07:43 PM
AstroViking's Avatar
AstroViking (Steve)
Registered User

AstroViking is offline
 
Join Date: Mar 2022
Location: Melbourne
Posts: 1,051
Well, that's a piece of good news to start with.

The next step is probably a bit daunting and potentially destructive if you get it wrong.

Grab the website name that keeps getting blocked by ESET and make a note of it.

From the Windows 'Search' box, enter 'regedit' and then select 'Run as Administrator'. You might need to right-click on the search results to bring up the context menu that gives this option.

Once in regedit, hit F3 (from memory - it's been a long time since I used regedit) and enter the website name into the search box.

If/when you get a result, delete the registry key and continue searching until you hit the bottom of the registry.

Save your work (there should be a menu item to do this) and then reboot your machine.

If it's still there when your machine comes back, then I'm afraid I'm out of ideas and the next thing on my list would be a complete reformat and re-install of Windows. A bit of a 'nuclear bomb' approach, I'm afraid.

Regards,
V.
Reply With Quote
  #8  
Old 20-02-2024, 08:06 PM
Crater101's Avatar
Crater101 (Warren)
Mostly Harmless

Crater101 is offline
 
Join Date: Jul 2020
Location: Bathurst, NSW
Posts: 647
Quote:
Originally Posted by AstroViking View Post
Well, that's a piece of good news to start with.

The next step is probably a bit daunting and potentially destructive if you get it wrong.

Grab the website name that keeps getting blocked by ESET and make a note of it.

From the Windows 'Search' box, enter 'regedit' and then select 'Run as Administrator'. You might need to right-click on the search results to bring up the context menu that gives this option.

Once in regedit, hit F3 (from memory - it's been a long time since I used regedit) and enter the website name into the search box.

If/when you get a result, delete the registry key and continue searching until you hit the bottom of the registry.

Save your work (there should be a menu item to do this) and then reboot your machine.

If it's still there when your machine comes back, then I'm afraid I'm out of ideas and the next thing on my list would be a complete reformat and re-install of Windows. A bit of a 'nuclear bomb' approach, I'm afraid.

Regards,
V.

Cheers mate. I've done something similar previously (a long time ago, in a galaxy far, far away...) and I'm aware of the potential for calamity.


I'll see if I can find another alternative before I try that, but if all else fails, that's probably what I'll end up doing.


Thanks!
Reply With Quote
  #9  
Old 21-02-2024, 11:07 PM
Dekker (Derrick)
Registered User

Dekker is offline
 
Join Date: Jul 2023
Location: Sydney
Posts: 2
Download SysInternals autoruns and check the list of "everything" for any programs without a signature or with suspicious looking file names. If you find an obvious culprit in that list, then you should be able to just delete the executable. However, in some cases you may need to start Windows in safe mode to be able to remove it.
Reply With Quote
  #10  
Old 22-02-2024, 05:00 PM
Crater101's Avatar
Crater101 (Warren)
Mostly Harmless

Crater101 is offline
 
Join Date: Jul 2020
Location: Bathurst, NSW
Posts: 647
Quote:
Originally Posted by Dekker View Post
Download SysInternals autoruns and check the list of "everything" for any programs without a signature or with suspicious looking file names. If you find an obvious culprit in that list, then you should be able to just delete the executable. However, in some cases you may need to start Windows in safe mode to be able to remove it.

My thanks! I was just about to go about it all the hard way, but I'll give that a go first. Cheers!
Reply With Quote
  #11  
Old 27-02-2024, 05:09 PM
Crater101's Avatar
Crater101 (Warren)
Mostly Harmless

Crater101 is offline
 
Join Date: Jul 2020
Location: Bathurst, NSW
Posts: 647
Purely for reference and research purposes, things appear to have returned to normal.
My sincere thanks for the help folks! I am not worthy...
Reply With Quote
Reply

Bookmarks

Thread Tools
Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +10. The time is now 03:10 PM.

Powered by vBulletin Version 3.8.7 | Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Advertisement
Testar
Advertisement
Bintel
Advertisement