Very old problem: NYB

  • Thread starter Thread starter news.rcn.com
  • Start date Start date
N

news.rcn.com

I have a problem I don't appear to be able to cure and it doesn't seem to
have surfaced for some years: I have managed to catch NYB and it seems to
have spread to two computers I have and (I don't see how but) it is
preventing one computer from booting off the floppy to remove it. I checked
the floppies on an uninfected box with NAV corporate, THEY don't have the
virus

I have Windows XP so I can't make a simple boot disc to do a simple Fdisk
/mbr to get rid of it. (I have tried creating that XP boot disc with NTLDR
on it and the other four or five files and for some reason it doesn't work
ANYWAY I don't see how I can do a FDISK with it??)

Does anyone know how I can either make an emergency boot set from another
uninfected computer with Norton AV Corporate Edition on it OR make an
emergency set with this computer which is infected? Will it make a
replacement boot sector with the infection on it or can I make a boot set
which will let me do a simple FDisk /mbr (or otherwise get rid of the virus)
to correct the boot sector on this infected box whatever the MBR's condition
at the time I make the emergency set? Kaspersky's emergency download
doesn't seem to fix it (though suspiciously it DOES report some apparently
false positive Trojans which I don't SEEM to have, such as
Trojan-Downloader.Win32.Agent.un and Trojan-Dropper.Win32.Mudrop.k which
are described as: "Currently there is no description available for this
program").

Also curiously, Kaspersky reported my having NYB yesterday on this
computer, - it's scanner told me it cannot fix NYB, - but NAV did a full
scan today and didn't report it! Is it possible that NAV is missing this
obvious boot sector virus while it is saying it is checking the boot sector?
Or did Kaspersky really remove the NYB while it was removing those two
apparently false positive Trojans? Or is Kaspersky
reporting a false positive on NYB? (I cant figure out how to run a chkdsk on
XP to show available memory)
 
I have a problem I don't appear to be able to cure and it doesn't seem to
have surfaced for some years: I have managed to catch NYB and it seems to
have spread to two computers I have and (I don't see how but) it is
preventing one computer from booting off the floppy to remove it. I checked
the floppies on an uninfected box with NAV corporate, THEY don't have the
virus

I have Windows XP so I can't make a simple boot disc to do a simple Fdisk
/mbr to get rid of it. (I have tried creating that XP boot disc with NTLDR
on it and the other four or five files and for some reason it doesn't work
ANYWAY I don't see how I can do a FDISK with it??)

Does anyone know how I can either make an emergency boot set from another
uninfected computer with Norton AV Corporate Edition on it OR make an
emergency set with this computer which is infected? Will it make a
replacement boot sector with the infection on it or can I make a boot set
which will let me do a simple FDisk /mbr (or otherwise get rid of the virus)
to correct the boot sector on this infected box whatever the MBR's condition
at the time I make the emergency set? Kaspersky's emergency download
doesn't seem to fix it (though suspiciously it DOES report some apparently
false positive Trojans which I don't SEEM to have, such as
Trojan-Downloader.Win32.Agent.un and Trojan-Dropper.Win32.Mudrop.k which
are described as: "Currently there is no description available for this
program").

Also curiously, Kaspersky reported my having NYB yesterday on this
computer, - it's scanner told me it cannot fix NYB, - but NAV did a full
scan today and didn't report it! Is it possible that NAV is missing this
obvious boot sector virus while it is saying it is checking the boot sector?
Or did Kaspersky really remove the NYB while it was removing those two
apparently false positive Trojans? Or is Kaspersky
reporting a false positive on NYB? (I cant figure out how to run a chkdsk on
XP to show available memory)
Click to expand...
You can get a boot disk from here

http://freepctech.com/pc/002/files010.shtml

Louise
 
I have a problem I don't appear to be able to cure and it doesn't
seem to have surfaced for some years: I have managed to catch NYB and
it seems to have spread to two computers I have and (I don't see how
but) it is preventing one computer from booting off the floppy to
remove it. I checked the floppies on an uninfected box with NAV
corporate, THEY don't have the virus

I have Windows XP so I can't make a simple boot disc to do a simple
Fdisk /mbr to get rid of it. (I have tried creating that XP boot
disc with NTLDR on it and the other four or five files and for some
reason it doesn't work ANYWAY I don't see how I can do a FDISK with
it??)

Does anyone know how I can either make an emergency boot set from
another uninfected computer with Norton AV Corporate Edition on it OR
make an emergency set with this computer which is infected? Will it
make a replacement boot sector with the infection on it or can I make
a boot set which will let me do a simple FDisk /mbr (or otherwise get
rid of the virus) to correct the boot sector on this infected box
whatever the MBR's condition at the time I make the emergency set?
Kaspersky's emergency download doesn't seem to fix it (though
suspiciously it DOES report some apparently false positive Trojans
which I don't SEEM to have, such as Trojan-Downloader.Win32.Agent.un
and Trojan-Dropper.Win32.Mudrop.k which are described as: "Currently
there is no description available for this program").

Also curiously, Kaspersky reported my having NYB yesterday on this
computer, - it's scanner told me it cannot fix NYB, - but NAV did a
full scan today and didn't report it! Is it possible that NAV is
missing this obvious boot sector virus while it is saying it is
checking the boot sector? Or did Kaspersky really remove the NYB
while it was removing those two apparently false positive Trojans?
Or is Kaspersky reporting a false positive on NYB? (I cant figure out
how to run a chkdsk on XP to show available memory)
Click to expand...

The XP CD is bootable-you will find disk tools on it.
To repair the MBR, install the recovery console
http://support.microsoft.com/default.aspx?scid=kb;en-us;307654
It is possable you are getting a "false positive".
To view available memory use the task mgr.
To scan your system with multiple scanners use David Lipman's Multi_AV.
Get it here http://www.ik-cs.com/programs/virtools/Multi_AV.exe
I have more help links and tools listed here
http://home.neo.rr.com/manna4u/tools.html
Hope you get it sorted out.
-max
--
Playing Nice on Usenet:
http://oakroadsystems.com/genl/unice.htm#xpost
My Pages: http://home.neo.rr.com/manna4u/
Change nomail.afraid.org to yahoo.com to reply.
Registered Linux User #393236
 
I have a problem I don't appear to be able to cure and it doesn't seem to
have surfaced for some years: I have managed to catch NYB and it seems to
have spread to two computers I have and (I don't see how but) it is
preventing one computer from booting off the floppy to remove it.
Click to expand...

Something else must be causing that since NYB isn't active when you
boot clean.
I checked
the floppies on an uninfected box with NAV corporate, THEY don't have the
virus

I have Windows XP so I can't make a simple boot disc to do a simple Fdisk
/mbr to get rid of it. (I have tried creating that XP boot disc with NTLDR
on it and the other four or five files and for some reason it doesn't work
ANYWAY I don't see how I can do a FDISK with it??)
Click to expand...

Don't use fdisk /mbr

I suggest using McAfee's Bootdisk. Download EMSCAN.ZIP from here:

http://vil.nai.com/vil/virus-4e.asp

Read the instructions in the enclosed zip.

Take KAV's Trojan detections seriously. You don't say which Kaspersky
EM program you downloaded. See my web site for the KASFX.EXE
download which has a clean/delete cabability using the Kaspersky
scan engine.

Art


http://home.epix.net/~artnpeg
 
Don't use fdisk /mbr

I suggest using McAfee's Bootdisk. Download EMSCAN.ZIP from here:

http://vil.nai.com/vil/virus-4e.asp

Read the instructions in the enclosed zip.

Take KAV's Trojan detections seriously. You don't say which Kaspersky
EM program you downloaded. See my web site for the KASFX.EXE
download which has a clean/delete cabability using the Kaspersky
scan engine.
Click to expand...
That is the one I downloaded. it executed to a dos screen which performed
dozens of updates on its files before finally finding some file which it
couldn't update. It tried this twenty or thirty times and then gave up,
commenting that it had failed (don't know how much failed or if it was just
this one file) It then ran and told me that it detected NYB which it didn't
fix but which now appears to be mysteriously gone from this system?? (or
isn't as the case may be). Does anyone know what these mysterious Trojans
infecting my .dll files were?

Not sure how I can get rid of NYB if I cant do a fdisk /mbr?
 
What's in a Name? said:
The XP CD is bootable-you will find disk tools on it.
To repair the MBR, install the recovery console
http://support.microsoft.com/default.aspx?scid=kb;en-us;307654
It is possable you are getting a "false positive".
To view available memory use the task mgr.
To scan your system with multiple scanners use David Lipman's Multi_AV.
Get it here http://www.ik-cs.com/programs/virtools/Multi_AV.exe
Click to expand...

That seems to be an extraordinarily powerful tool? I cant imagine anything
could get through that one. I have downloaded and run Sysclean again with
that and if IT doesnt finf NYB I will assume it was a false positive or that
NYB has now been fully expunged from my system

I have more help links and tools listed here
http://home.neo.rr.com/manna4u/tools.html
Click to expand...

(Many thanks: have added this to my Favourites)
 
That is the one I downloaded. it executed to a dos screen which
performed dozens of updates on its files before finally finding some
file which it couldn't update. It tried this twenty or thirty times
and then gave up, commenting that it had failed (don't know how much
failed or if it was just this one file) It then ran and told me that
it detected NYB which it didn't fix but which now appears to be
mysteriously gone from this system?? (or isn't as the case may be).
Does anyone know what these mysterious Trojans infecting my .dll
files were?

Not sure how I can get rid of NYB if I cant do a fdisk /mbr?
Click to expand...

after install of recovery console you can use the command
fix /mbr
-max
--
Playing Nice on Usenet:
http://oakroadsystems.com/genl/unice.htm#xpost
My Pages: http://home.neo.rr.com/manna4u/
Change nomail.afraid.org to yahoo.com to reply.
Registered Linux User #393236
 
That is the one I downloaded. it executed to a dos screen which performed
dozens of updates on its files before finally finding some file which it
couldn't update. It tried this twenty or thirty times and then gave up,
commenting that it had failed (don't know how much failed or if it was just
this one file) It then ran and told me that it detected NYB which it didn't
fix but which now appears to be mysteriously gone from this system?? (or
isn't as the case may be). Does anyone know what these mysterious Trojans
infecting my .dll files were?
Click to expand...

Do you have the version of KASFX from my web site that allows you to
select download sites? As I mentiion on the info screen, quite often
it's better to use the second one ... updates2.

Make sure you have successfully downloaded all the def files and then
rescan the drive.
Not sure how I can get rid of NYB if I cant do a fdisk /mbr?
Click to expand...

I mentioned one method. Use McAfee's Bootscan after booting up
using a clean DOS boot disk.

Art

http://home.epix.net/~artnpeg
 
The correct command is FIXMBR. ;)


That page is full of nonsense and wrong information, as well as misleading
advice.


Worthless.
Click to expand...

What's "worthless" is your post. Why not try being helpful instead of
obnoxious for a change? What exactly in your opinion is the correct
and safe method in all cases of fixing a simple boot infector on Win
XP? And exactly why is Bootscan or some other DOS boot av method
"worthless"?

Art

http://home.epix.net/~artnpeg
 
Zvi said:
That page is full of nonsense and wrong information, as well as misleading
advice.
Click to expand...

their advice is to not use their little tools to remove mbr infectors
since those tools were not designed to fix mbr infectors... one should
instead use software that was actually intended to deal with viruses...

maybe it's just me, but if microsoft is saying that software they wrote
*without* the intention of fixing viruses is inappropriate for fixing
viruses then i don't see the problem...
 
news.rcn.com said:
I have a problem I don't appear to be able to cure and it doesn't seem to
have surfaced for some years: I have managed to catch NYB and it seems to
have spread to two computers I have and (I don't see how but) it is
preventing one computer from booting off the floppy to remove it. I checked
the floppies on an uninfected box with NAV corporate, THEY don't have the
virus
Click to expand...

You probably have no real problem, only an apparent one, since NYB can't be
active under XP. Moreover, your computer wouldn't boot to XP with the code of
NYB in the boot disk MBR. The computer would hang with a blue screen, before it
can load the system (a basic driver will fail to load).
I have Windows XP so I can't make a simple boot disc to do a simple Fdisk
/mbr to get rid of it. (I have tried creating that XP boot disc with NTLDR
on it and the other four or five files and for some reason it doesn't work
ANYWAY I don't see how I can do a FDISK with it??)
Click to expand...

What you are referring to is the XP (NT) emergency boot disk. It's the wrong
tool to handle MBR and boot sectors problems since it won't let direct disk
access). Besides the fact that you don't need a boot disk at all to resolve the
"problem".
Does anyone know how I can either make an emergency boot set from another
uninfected computer with Norton AV Corporate Edition on it OR make an
emergency set with this computer which is infected?
Click to expand...

You are dangerously improvising, and are about to damage access to your drive if
you don't stop hyperventilating.
Will it make a
replacement boot sector with the infection on it or can I make a boot set
which will let me do a simple FDisk /mbr (or otherwise get rid of the virus)
to correct the boot sector on this infected box whatever the MBR's condition
at the time I make the emergency set?
Click to expand...

NEVER build an emergency boot disk for one PC on another one. You risk
transplanting the wrong configuration sectors (MBR, boot sector) from one hard
disk to the other and lose access to your data / drive!
Kaspersky's emergency download
doesn't seem to fix it (though suspiciously it DOES report some apparently
false positive Trojans which I don't SEEM to have, such as
Trojan-Downloader.Win32.Agent.un and Trojan-Dropper.Win32.Mudrop.k which
are described as: "Currently there is no description available for this
program").
Click to expand...

For your own good, stop that hyperactivity. All you have is a false alarm.
Also curiously, Kaspersky reported my having NYB yesterday on this
computer, - it's scanner told me it cannot fix NYB, - but NAV did a full
scan today and didn't report it! Is it possible that NAV is missing this
obvious boot sector virus while it is saying it is checking the boot sector?
Click to expand...

Both products do false alarm. This problem has been discussed in length on
virus forums. Read the thread starting with
http://groups.google.com/group/alt.comp.virus/msg/ddeff668475e993b if curious
about.
Or did Kaspersky really remove the NYB while it was removing those two
apparently false positive Trojans? Or is Kaspersky
reporting a false positive on NYB? (I cant figure out how to run a chkdsk on
XP to show available memory)
Click to expand...

"Missing memory" was never reliable to test the presence of an active boot
infector. Besides the fact that it belongs to the days of plain DOS. As stated
at the top, if XP boots of the hard drive then there is absolutely no
possibility that there is NYB on your drive, neither active, nor even dormant.

To be absolutely sure on my assertion, I just installed NYB on my XP test
machine and retested its behavior.

BTW, FIXMBR *is* effective in overwriting NYB in the MBR, in case you had it
(which you obviously don't). For what it's worth, antivirus products do exactly
the same, with two differences: They may kill access to the drive in case they
misidentify the virus (which they quite often do!), and the bells and whistles.
;-)

Regards, Zvi
 
Art said:
What's "worthless" is your post. Why not try being helpful instead of
obnoxious for a change? '
Click to expand...

I am being helpful, in case you missed it, by pointing out bad advice.
What exactly in your opinion is the correct
and safe method in all cases of fixing a simple boot infector on Win
XP? And exactly why is Bootscan or some other DOS boot av method
"worthless"?
Click to expand...

This was discussed many times in these forums. The latest thread on the subject
starts with http://groups.google.com/group/alt.comp.virus/msg/ddeff668475e993b

Since you are Canadian, then you may read French (shouldn't all Canadians?). In
which case I recommend that you read the following thread, especially posts #10
to 26 (pay special attention to #12)
http://groups.google.com/group/fr.comp.securite.virus/browse_frm/thread/d57f313dc4365567

Regards, Zvi
 
kurt wismer said:
their advice is to not use their little tools to remove mbr infectors
since those tools were not designed to fix mbr infectors... one should
instead use software that was actually intended to deal with viruses...
Click to expand...

I thought that only old fellows have a memory problem. ;-) Read my reply to
Art, in this thread. I am referencing to previous threads where we (you and I)
discussed the issue.
maybe it's just me, but if microsoft is saying that software they wrote
*without* the intention of fixing viruses is inappropriate for fixing
viruses then i don't see the problem...
Click to expand...

Microsoft have been playing a different tune for years, about both FDISK /MBR
and FIXMBR. It's only recently that they changed the tune, probably as the
result of the new cover-ass policy they adopted with the introduction of the XP
Security Center parody (the page referred by Art is from the XP Professional
Resource Kit documentation, not really intended for the wide public). Read
http://www.microsoft.com/technet/prodtechnol/windows2000pro/tips/reccon.mspx
where Microsoft explicitly recommend FIXMBR to restore the MBR from a boot virus
("cool use" they call it). ;-)

In plain language, Microsoft isn't the party to depend upon for advise on the
subject. They aren't better informed in boot virus matters, nor are the
antivirus producers (read the referred thread)! AV producers always did a lousy
job on this particular issue (BSI), and it's even worse now, since boot viruses
are practically extinct and the new AV cadres have no meat to chew on and lack
experience.

Another worrying aspect is the abundance of bad advice on that subject, in this
as well as other virus newsgroups, offered on base of ignorance and recycling
formalistic and incorrect info. Take this thread for example. Although it's
fairly obvious that the OP is experiencing a false alarm, no one offered advice
how to confirm this, and feed the poor user with bad advice that risks
frustrating him, panic, and eventually format the drive. As happened so many
times before with false boot virus alerts.

To make my post complete, then here is a procedure how to confirm a false alarm
in the case of NYB: *On condition that a third party boot manager is NOT used
on that PC (this seems to be the case), then run FIXMBR after having booted of
the XP setup CD, in "repair console" mode. The procedure will do no harm to the
MBR (after all it was devised for that) and will assure that no trace of NYB can
survive in the MBR (just in case the false alert is caused by some residue code
in the slack part of the MBR loader). Reboot from the hard drive own system.
Any antivirus that now claims that it finds NYB is necessarily false alarming.

Regards, Zvi
 
Art said:
Nope. You can't seem to get anything right.
Click to expand...

OK, so you aren't Canadian (why was I under the impression you are?). My
apologies to those that are - no offense was intended. ;-)

Still, you may benefit from the thread in French. :)

Regards
 
Zvi Netiv said:
OK, so you aren't Canadian (why was I under the impression you are?). My
apologies to those that are - no offense was intended. ;-)
Click to expand...
LOL!! This exchange made my day!! No, Art is American, but not far from
the Cdn. border.

And we don't all speak french btw.....grin. But I get by with my high
school french and a good phrase book. Same with spanish.

Mme. Heather
 
Back
Top