Need help with "form.a" boot sector virus

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Just built up a windows installation on a system and after
installing NOD32 I find it has the form.a Boot Sector virus but
NOD cannot clean it.  Fdisk/MBR not effective either.

Seems like a "McAfee emergency disk" is capable of this but not
much else I can find out about.  Would hate to have to do this
all over again.

Any suggestions or a image of said emergency disk??

Thanks

Re: Need help with "form.a" boot sector virus


| Just built up a windows installation on a system and after
| installing NOD32 I find it has the form.a Boot Sector virus but
| NOD cannot clean it.  Fdisk/MBR not effective either.
|
| Seems like a "McAfee emergency disk" is capable of this but not
| much else I can find out about.  Would hate to have to do this
| all over again.
|
| Any suggestions or a image of said emergency disk??
|
| Thanks

The Form virus.  I haven't seen that in years.  You must have had an infected
floppt disk
and are using FAT32.

Use the following Multi-AV.  Install it on a second, non-infected PC and update
at least the
McAfee and Sophos modules.

Download a either freeDOS or a floppy DOS bootdisk and change the floppy disk to
Read-Only.
FreeDOS:
http://www.freedos.org /
http://sourceforge.net/projects/freedos /

http://www.bootdisk.com/bootdisk.htm

Using a USB Flash Drive and copy the C:\AV-CLS tree of data to the Flash Drive
from the
non-infected PC to the affected PC.

Run either of the following on the affected PC.

C:\AV-CLS\DOSCLEAN.BAT

C:\AV-CLS\SOFCLEAN.BAT

Then use the Start Menu of the Mult-AV and scan all your floppy disks.  Make
sure those
floppy disks are Read-Write so they can be cleaned.


Download MULTI_AV.EXE from the URL --
http://www.pctipp.ch/ds/28400/28470/Multi_AV.exe

http://www.pctipp.ch/downloads/dl/35905.asp

English:
http://www.raymond.cc/blog/archives/2008/01/09/scan-your-computer-with-multiple-anti-virus-for-free /

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go
through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal
Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the
PC.

You can choose to go to each menu item and just download the needed files or you
can
download the files and perform a scan in Normal Mode. Once you have downloaded
the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode
[F8 key
during boot] and re-run the menu again and choose which scanner you want to run
in Safe
Mode.  It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive
PDF help
file.

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * *   Please report back your results  * * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Need help with "form.a" boot sector virus

On Sat, 01 Mar 2008 12:21:21 GMT, "David H. Lipman"

Quoted text here. Click to load it

Hi David.

The hard drive had it and I did nothing that would have cleared
it.  It subsequently got to an additional drive I installed
temporarily and another that now resides in the system is also
affected as well as a zip disk.  The 2 floppies I used are
infected but reformatting them clears that.

I suppose that sys C: from a floppy would clear it as well.

I have a W98SE system that I can download the Multi_AV to in
order to get the C:\AV-CLS tree of data for the Flash Drive.

If I take your meaning, I boot from the floppy and run the .bat
file I copied to the hard drive while under the floppys dos
system.

Correct??

Re: Need help with "form.a" boot sector virus



|
| Hi David.
|
| The hard drive had it and I did nothing that would have cleared
| it.  It subsequently got to an additional drive I installed
| temporarily and another that now resides in the system is also
| affected as well as a zip disk.  The 2 floppies I used are
| infected but reformatting them clears that.


Did reformatting actually remove the Form virus ?
It has been so long that I forgot.


|
| I suppose that sys C: from a floppy would clear it as well.


No, that would NOT work.  It is a boot sector infector and that command just
tranfer the OS
boot files to the floppy.


|
| I have a W98SE system that I can download the Multi_AV to in
| order to get the C:\AV-CLS tree of data for the Flash Drive.
|
| If I take your meaning, I boot from the floppy and run the .bat
| file I copied to the hard drive while under the floppys dos
| system.
|
| Correct??

Yes.

Once you clean the "C:" drive, run the Multi-AV menu and scan all floppies,
other hard disks
and the ZIP disk.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Need help with "form.a" boot sector virus

On Sun, 02 Mar 2008 02:34:25 GMT, "David H. Lipman"

Quoted text here. Click to load it

I only tried that with the floppies.  It did clear it out.

Quoted text here. Click to load it

Note I said FROM a floppy.

This from McAfee, I know not if it is factual:
"This virus can be removed with the same technique as used with
many boot sector infectors. First, power off the system and
then boot from a known clean write-protected boot diskette. The
DOS SYS command can then be used to recreate the boot sector.
Alternately, MDisk from McAfee Associates may be used to
recreate the boot sector."


Thanks for your help David.  
I am going to try what you suggest so I have a handy technique
in the event this appears somewhere once again.  Will report
back.


Quoted text here. Click to load it


Re: Need help with "form.a" boot sector virus

On Sun, 02 Mar 2008 02:34:25 GMT, "David H. Lipman"

Quoted text here. Click to load it
On returning to the system today I found I had clobbered the
partition table in the tired wee hours during my last effort.
Fortunately I had Ghosted the installation before the troubles.

I deleted the partition and started fresh using the image and
all is well.  Everything is clean including the floppies.  Did
not get a chance to use Multi-AV but have saved it and your
instructions should this ever appear again.

Thanks again David

Site Timeline