Ok, after clearing the partition table, erasing the MBR and wiping all sectors of the drive, then reformating using the recovery cd's, then disabling system restore, installing SP2 and NAV08, then scanning in safe mode with the internet cable unplugged, Norton again finds the virus and declares it resolved. I reboot and the virus comes up right away again. I don't know what else to do.
Is it true what the HP tech said that reformatting only affects the "top layer" of a hard drive and that I would have to have someone in a store fully recover the hard drive with special software that only experts can obtain and use?
I don’t know if it is a false positive or how to tell. Other virus programs don’t detect it. NAV08 and 09 do. It is a real virus and Symantec has a removal procedure that is pretty worthless in my opinion.
I guess I don't know what I am talking about. There are three partitions.
HP_PAVILION (C:) NTSF
DISK2PART01 (D:) NTSF
HP_RECOVERY (E:) FAT32
The first few times I reformatted, I downloaded SP3. The whole process was taking over 4 hours, including loading Norton and scanning. When I found I could run Norton with just SP2, I decided to skip SP3 until I got rid of the virus and didn't have to redo everything again. I'll take a look at DBAN. Thanks.
Don't even bother with removing the virus. Its like finding a needle in a haystack. 6 yr. old computer? I reformatted my 1999 P3 and installed Windows XP at least 5 times, took about 40 minutes. Just reformat and reinstall. Sounds like you did not completly reformat.
Reformat Guide (Might want to write/print):
Insert XP disc
Turn off comp.
Set your BIOS to boot from CD
You will be told that there is another NT installation. Delete all partitions on your drive, even the MBR, which will be like 8 mb.
Sounds as though reformating has been tried may times. Standard reformatting and reinstall Formatting the hard drive is a bit more secure than simply erasing the files. Formatting a disk does not erase the data on the disk so to speak, only the address tables (top layer). There are times just reformatting is not enough. Where or not the reformatting process completed properly or not data can be still extracted from a formatted hard drive.
DBAN will erase everything (Partition(s) and MBR (master boot record)included) and depending on the selected wipe (1pass, 3 pass, 7 pass,............) there is a difference in the time it takes. Different algorithms etc.
I have not Tried DBAN however, as I have paid for software that boots from CD-ROM and and wipes completely, but this can take hours.
Someone suggested Killdisk so I downloaded it on a friend's computer, made a copy and erased with zero's. I ran two passes. Then I reformatted the hard drive. Disabled the system restore, downloaded SP2 then installed NAV08, ran a scan and the virus is still there!!!
I assume that either the virus is in a deeper layer? or that it is a false positive?
If it is in a deeper layer, do I need stronger erasing/zeroing software? Killdisk took about a half hour on the first pass on my 80 gig hard drive.
Or if this is a false positive - which I doubt since I don't see this issue on Symantec's site with other XP / NAV08 - how can I tell? It never says the virus is quarantined, just resolved.
I just cannot believe after all I have done it is still there!
Hannah12 wrote: I signed up for Norton's Virus Removal Service at $99.99. Several of
their technicians tried a number of things in an attempt to get rid of
the virus
Hi Hannah12,
At the risk of adding to the confusion here, I was wondering if you could clarify something for me. In the above quoted text, you mention that they tried a number of things. When you contacted support, did they give you the boot.mebroot removal tool mentioned in the Removal Instructions page? I know it gets discouraging and tiresome to troubleshoot a problem, especially when you're getting so much advice from so many people. We will try to wait for your response before throwing more suggestions your way.
To Tony's question, when I paid for the Norton Virus Removal Service and asked them about the removal tool, they wouldn't give me a specific answer. They took control of my computer tried various reconfigurations, then gave up and told me to reformat the hard drive. I had the impression that there is no removal tool and I don't know why Norton says there is.
I also wonder why McAfee, AGV, Trojan Virus Remover and Malwarebytes do not detect the virus but NAV08 and NAV09 do.
Also, why reformatting as I have done after deleting the partitions and wiping out the hard drive, including writing zero's on it, won't make this go away.
...I had the impression that there is no removal tool and I don't know why Norton says there is...
Hi Hannah12,
I've emailed you download information regarding the fixtool, to the email address registered to your account here. The email may be marked as phishing and/or spam, so please check those folders for my email. Thanks!
I ran the fix tool and the virus is still there after rebooting. I called the local Fry's service department and they said they couldn't do anything more than I have done. They wondered if the virus was in the memory although they said that was very, very rare. Is that possible??
Did you delete all your partitions inluding your recovery partiton? Did you wriue zero’s to the drive and verify that the drive was empty? What is the manufactuer of your hard drive. If you completely wiped out the drive it is impossible for the infection to be there. What partiotn is the infection in?
The infection is in the C drive. D and E scan clean. From the bootable recovery cd, I was able to issue commands for clearing the partition table, erasing the MBR and wiping all sectors of the drive. These are the words that were used on the three separate commands. Then I watched it erase the hard drive - 80 gig - which took about a half hour. Then it reformatted everything.
When I ran the software that wrote zero's, I didn't verify if the drive was empty. I ran the program twice and the second time it only took 3 or 4 minutes, so I assumed that everything had been written over.
My computer is an HP 753n and the hard drive has on it: HP 5002 8731 R L(except it is upside down) V E
Before we all throw in our recommendations, I have requested that Hannah12 run the fixtool for boot.mebroot, following all the steps in the instructions. Let’s wait for the results of that fix before we repeat our previous recommendations. Thanks!
Dieselman 743 asked, "What partition is the infection in?" The trojan infects the MBR, modifies a PC’s master boot record (MBR), which is the first sector of a storage device and is used to help a PC locate an operating system to boot after it is turned on. The result, is running even before Windows loads.
About staying in the memory
Memory (RAM) is volatile (has refresh rate). so once the power is turned off from the PC, especially for sometime like 5 minutes anything from the memory is gone, after 5 minutes with no power coming in (disconnect the cords etc.) you can push the power button and this should release any residual power.