Form Virus

[Don Pearson]

Running XP SP2 with Avast, Zonealarm, Spybot and Ad Aware over several years, I have never had any problems. I run with two hard drives with the system on one and all my data on the other.

Last week, on the 18th, I became infected by Form Virus. However it got in, I do not know, possibly when I activated a dormant partition on one of my hard drives.

Thereafter my machine hung up after the BIOS and would not boot. I had no report from Avast and thought it could be a disk problem. None of my attempts to resurrect it worked. However, using a second machine, I downloaded some stuff that I thought might help and when I put in a floppy Avast reported the presence of FORM and apparently killed it. I did a full scan and there it was in my C drive. Avast failed to repair it and my second machine then would not reboot.

I have rebuilt XP on my main machine but I do not want to load my data drive or my memory stick in case they reinfect it. I need a reliable way of eliminating this virus. On a third testbed machine I have tried Cureit, which finds FORM and says it has removed it but hasn't, because Avast still finds it.
I have also tried Malbytes Anti-Malware unsuccessfully.

Two questions, please:
Can I find a way to repair the boot record and avoid a rebuild on machines two and three (which I am leaving on because I know it will not reboot if I turn it off)?

Is there an elimination method I can use if I do become reinfected?

Any help would be very greatly appreciated.

[FreewheelinFrank]

Form infects the boot sector. It is only able to infect if the machine is booted from an infected diskette.

As with most boot viruses, a Form infection is a rare find in modern times. Since the advent of Windows, boot viruses have become increasingly uncommon, including Form. Generally, Form infections are due to the use of floppy disks infected during the original pandemic that have since been taken out of storage.

http://en.wikipedia.org/wiki/Form_(computer_virus)

Booted with an old floppy in the drive recently?

[Lisandro]

If the virus is coming and coming again, I suggest:

1. Disable System Restore and reenable it after step 3.
2. Clean your temporary files.
3. Schedule a boot time scanning with avast with archive scanning turned on.
4. Use SUPERantispyware and/or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
5. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
6. Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.
7. Immunize your system with SpywareBlaster or Windows Advanced Care.
8. Check if you have insecure applications with Secunia Software Inspector.

[Don Pearson]

All my floppies are old and hardly used except if I already have problems.

I would not have had a floppy inserted when I first got the problem but they certainly transferred the problem to my other machine(s).

[Don Pearson]

If the virus is coming and coming again, I suggest:

1. Disable System Restore and reenable it after step 3.
2. Clean your temporary files.
3. Schedule a boot time scanning with avast with archive scanning turned on.
4. Use SUPERantispyware and/or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
5. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
6. Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.
7. Immunize your system with SpywareBlaster or Windows Advanced Care.
8. Check if you have insecure applications with Secunia Software Inspector.
[/quote


Thanks for this. I run AWC and use ccleaner every week or so. I will follow your suggestions on my testbed machine, bearing in mind that installing anything that requires a restart to run is no good because the reboot will fail.

[Lisandro]

bearing in mind that installing anything that requires a restart to run is no good because the reboot will fail.

Maybe you could pass SpywareTerminator then...
But avast at boot time requires a boot too... not sure you can run it...

[scaffoldtm]

How do I get some help on here please?  I scanned for virus and found four (3 were the Crypt virus) and 1 adware.  They were all moved to the chest.  Do I need to do anything else to remove them?

[Don Pearson]

bearing in mind that installing anything that requires a restart to run is no good because the reboot will fail.

Maybe you could pass SpywareTerminator then...
But avast at boot time requires a boot too... not sure you can run it...

Exactly so. Now that I have an uninfected machine I am going to load the data disk that was on it at infection time. If it reinfects, at least I know where I stand before I invest any more effort on it.

As a sensible precaution, I shall throw away all of my floppies, most of them years and years old.

[Lisandro]

How do I get some help on here please?  I scanned for virus and found four (3 were the Crypt virus) and 1 adware.  They were all moved to the chest.  Do I need to do anything else to remove them?

Please, start a new thread for your specific problem.
Anyway, I suggest you schedule a boot time scanning with avast.

[DavidR]

How do I get some help on here please?  I scanned for virus and found four (3 were the Crypt virus) and 1 adware.  They were all moved to the chest.  Do I need to do anything else to remove them?

You need to post this in a New Topic so as not to hijack/confuse this unrelated topic and we can help you. When you do answer this, What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ? 
Check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections.