Hi:
First of ALL --- *** HAPPY NEW YEAR TO EVERYONE***

I have to admit I feel stupid and frustrated :-(
This annoying virus is very hard to remove. And it seems to be reading my floppy drive

Norton System Works is alerting me about the presence of NYB in 1 of my Master Boot Records since I have 4 partitions -- 2 partitions c: & f: contain Windows XP Pro, the other 2 are logical drives with useless info.

Now, I have tried Norton, Panda, McAfee, F-Prot, Trend …nothing seems to remove this bug. I also tried:
1- Booting from win 98 floppy and typing “fdisk /mbr” – this didn’t work
2- Booting from Norton cd and trying to clean infected files –didn’t work
3- I tried McAfee tool “bootscan /clean” – didn’t work either

Finally I gave up, and I desired to format c: and reinstall windows.

Now, as a surprise after installing Norton I did a scan and Norton is alerting me about NYB.

***I must be doing something wrong, ***

Maybe the Master Boot Record is not deleted when you format a partition …

Here are the technical details about NYB from Symantec website:
http://securityresponse.symantec.com/avcenter/venc/data/nyb.html

Here's the end part of my standard spiel:

QUOTE
The AVG Rescue Disk is a special diskette where the most important parts of your computer’s boot up data will be saved. In this backup diskette, the contents of the Partition Table, Boot sectors and some other internal data will be saved. These areas are often targets of computer virus attacks and their damage can (and mostly will) cause the malfunction of the whole operating system – your computer cannot be started.

Repairing such destruction can be very difficult job. But if you have a backup copy, restoring the damaged areas is easy and safe.

In addition to the backup copy of the system areas there is a special AVG-SOS program stored on the rescue disk to handle the saved data.
----------------------------------------------------------------------------------------------------------

Here's the 1st part:

RECOVER USING BACKUPS
The easy way to recover from all software [including configuration] problems [without even having to discover the cause], is:

1) As you proceed forward in time, make backups of everything on your C: drive.
Do this at regular intervals, particularly before making software changes [un/installing programs or changing configuration] and keep a log of all this.
2) When you hit trouble caused by a bad configuration change and no hardware or software changes have been made, [use "scanreg /restore" in Win98, or a restore point in WinXP, to] restore a previous good configuration.
3) When the trouble involves more than just the configuration, and involves the files [including the configuration perhaps] but no hardware has been changed [this is important because the software must match the hardware], then:
----------------------------------------------------------
Re-format the C: drive and restore your latest good backup.
----------------------------------------------------------
The software will "jump back" to the way it was when the PC worked.
If this doesn’t fix things, then it probably is not a software problem but a hardware problem.

It helps if you keep the C: drive "lean & mean".
I move as much as possible off the C: drive [and keep it as small as possible].
The "Windows" & "Program Files" folders account for 95% of the used space on my C: drive.
All the data that changes day by day [or are considered vital] are re-homed on another physical drive [although another partition would do].
When I "jump back" I still have up to date:
a. My Documents. [Use “TweakUI” to move their home]
b. E-mails for all identities. [use the email client to move their home]
c. Internet Explorer Favourites. [Use “TweakUI” to move their home]
d. Temporary Internet Files. [use the browser (Internet Explorer) to move them]
e. Re-home the Windows Address Book as shown here http://tinyurl.com/24q6l . Use the key “HKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4\Wab FileName” to specify its new address. [Its normal home address [in Win98] is C:\WINDOWS\Application Data\Microsoft\Address Book\(the name you gave your PC).WAB]
f. Any other storage of data files you wouldn’t want to “jump back”.

These can be backed up separately and more or less often.
-----------------------------------------------------------------------------------------------------------

Prior to re-partitioning & re-formatting you may need to overwrite the whole HDD with random patterns of 1's & 0's using the "Eraser" "Boot & Nuke Disk".
I'm not sure if that's necessary but others have said it can be.

I really didn’t know that could be done!!! Thanks…

Now…You are suggesting to create AVG rescue disk…I guess from another computer not infected…then repair Partition Tables & Master Boot Records. Sounds like a good plan;

I still have some questions …????:confused:

1- How do I make this AVG rescue disk?
Do I have to download a program from AVG antivirus Website. Please correct me if I'm wrong.

2- On the other side, why is this virus still in “C:“ Partition if I formatted it. It doesn’t make any sense to me; unless the virus could copy itself over from the other 3 partitions, which I believe are infected too.

3- Is there any other method to get rid of this annoying bug that I have not used?

4- Finally, why is it?
that non of the method I tried previously worked…like
-- “fdisk /mbr” -- || -- “bootscan /clean” && booting up from Symantec Disk and trying to clean infected files.

//************************************************** ****
I was trying to post couple snapshots minutes ago when Trend online scan detected 4 virus, but the image was too big.
The results looked like this:

----Virus -------- Scan Result ------------File---------------------

Genetic 408* ---- Non Cleanable ---- Partition Table on Physical Disk 2
Genetic 408* ---- Non Cleanable ---- Partition Table on Physical Disk 2
Genetic 408* ---- Non Cleanable ---- Partition Table on Physical Disk 2
Genetic 408* ---- Non Cleanable ---- Partition Table on Physical Disk 2

//************************************************** ****

Norton virus Information: http://securityresponse.symantec.com/avcenter/venc/data/nyb.html

Trend Virus Information:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=GENERIC_408*

I think what Sylvander is saying is that you need to completely wipe the disk to clean out the MBR... Formatting will not wipe the MBR... You need to remove all partitions and return the disk to a pristine state... The easiest way to do this is usually to use the software from the maker of the drive... Once you wipe it, turn off the computer, unplug it and push the power switch to discharge capacitors before plugging it back in again... This will make it more likely that the virus is not lurking somewhere....

I think the rest of what Sylvander is saying is his usual prescription for dealing with these problems BEFORE they happen involving a system of backups... Not much help if you don't happen to have a complete set of clean backups handy...

This virus infects three specific sites. The MBR as well as all the Partition Boot sectors on the HDD and probably MOST SIGNIFICANT OF ALL the boot sector of floppy diskettes. So it is likely that you are continually reinfecting your system - from the floppy, from the RAM by warm rebooting and from infected boot sectors. An infected floppy was probably the source of the infection and as soon as you put a clean floppy into the drive that is not WRITE PROTECTED it will also become infected.

To manually clean up the system and keep your files intact you would first need a write protected clean boot floppy prepared on a clean pc. Then you could use fdisk /mbr (which should be safe since you have already used it once). You should then either delete the relevant partitions or use sys X: (or format X: /s if you dont mind losing the data) where X: is each partition whose boot sector you wish to replace. You should then turn off the pc for one minute before turning it on again to clear the RAM. Check everything with a reputable antivirus and that should be all you need.

It might be easier to just zero the whole drive or at least just zero the whole of the mbr (which effectively deletes all the partitions). This can be done using wipeout (http://www.lurkhere.com/~nicefiles/index.html). Add it to your clean boot floppy using a clean pc and then write protect the floppy again. Boot to the floppy and exectute the utility by entering at the A:\> prompt wipeout c: /nq /np (check the readme in the download).

Throw away all your infected or potentially infected floppies. By all means write protect them (to prevent reinfecting any from the HDD) and scan them with your a/v to see which ones are infected but you will need to be prepared to reclean your HDD if you go that route.

It doesn't sound as if you are concerned about any data on the drive but if this is a consideration post back before you start to wipe stuff.

I guess from another computer not infected…then repair Partition Tables & Master Boot Records
Just saw this and it's a related but separate issue so I'm just adding another post. You cant use the mbr backup from another pc because unless the HDD and the paritions on it are identical to your own you would just corrupt your own system. The partition tables are part of the mbr and not separate entities; they are not the same as the partiton boot sectors, which can also be infected and wouldnt be restored in any case. The virus copies the mbr from LBA sector 0 to sector 16 - so if you really want the original back you could copy it back with a hex editor.

Afterthought. The other way to clean up your MBR is to boot to the WinXP installation CD and log on to the recovery consolde and run fixmbr from the command prompt. This has two advantages; the CD can't be infected and the disk signature that XP references in its own registry won't be changed - thus lessening the chance of causing bootup problems for XP (which fdisk /mbr could potentially cause). You could also boot to a Win98 installation CD to issue the same commands that you would from a Win98 boot floppy - but once again with the same advantage that the CD wont be infected. In fact just running fdisk /mbr and then fdisking and deleting all the partitions would be another way to "clean" up your HDD. Followed by an icy cold reboot.

Great!!!...Things are starting to make more sense now.

I didn’t know about the write-protected feature on the floppy disks, Thanks…
And the information regarding mbr – being different from a partition boot sector makes a lot of sense.
I spent some time today reading about mbr to update myself.

On the other hand, I am still a little bit confused: :confused:

1-) I scanned every single Floppy Disk with both “Online –Trend Scan” & “Norton Antivirus” and they all seem to be cleaned .
And I tried today again with the write-protected on, and the virus was not removed
I am going to try later the WinXP recovery console solution posted by “Komski” to see what happens.

2-) Please correct me if I am wrong !!!
I think even if I clean my MBR with fdisk using a clean boot up floppy, my system will be re-infected every time I boot up from C: or F: WindowsXP, this is assuming that all my 4-Partition Boot Sectors are infected too.
Is there a way to clean up my Boot Sectors? It seems to me that an infected Boot Sector can re-infect the whole system including the MBR and the other 3 Boot Sectors.

I really want to try as hard as possible to eliminate this bug before having to wipe out all my partitions; however, if things start to get very complicated I will proceed and 0 my entire hard drive.

Again Thanks to all of you !!!…Please post again

I'm just beginning to wonder if you have perhaps already cleaned up this virus since it seems that only Norton System Works is giving you warnings and none of the other a/v progs are giving you any alerts. Somewhere in my dim distant memory I can remember Norton giving false positives from data stored in its records somewhere - rather than from a dyanamic new scan of your system. It could possibly be worth uninstalling and reinstalling Norton and see if it still comes up positive. If other reputable up-to-date antiviruses are not detecting anything I would be pretty reassured.

BTW - Do you have these partitions on two hard drives since the warnings appear to be related to a second HDD with the warning:- "Non Cleanable ---- Partition Table on Physical Disk 2" If so you would need to fixmbr both HDDs one at a time (best as a lone master drive) since fixmbr (and fdisk /mbr) will only rewrite the executable code on the mbr of the HDD being used to boot up your system.

I have also experimented with using sys from Win98 and Win98se installation CDs - but they dont include sys or format so you would need to boot to a Win98 floppy to use sys on any fat, boot partitions.

Well, I am actually getting warnings from multiple antiviruses: Norton, McAfee & Trend
as well.
See, I have already tried cleaning the MBR a thousand times; I also tried with windows recovery console as you suggested. The only thing I can think of is that my Boot Sectors in both C: & F: are infected, causing to re – infect my Master Boot Record every time I boot up from C: or F:

I have 2 Hard Drives:

//************************************************** ************
Master
Partition C: Win XP
Partition D: Information & Backups -- /This is a logical drive I created
Partition F: WinXP
----------------------------------------------------------------------------------------------
Slave
Partition E: Information & backups

************************************************** *************//

I am doing a complete system scan by Norton and I am going to post the results, then I am going to do a McAfee online scan and I will post those results as well.

Again Thanks…

Norton Log
Action -----------files---------Master Boot Record--------Boot Record
scanned--------108562--------------2----------------------4
Infected-----------0-----------------1----------------------0

//************************************************** *********************

Item---------------------------Virus Name--------------------Status
Master boot record of drive 129------NYB------------------------Repair Failed

//************************************************** *********************

Date: 12/29/2004, Time: 17:09:04, ariel on ARIEL-ELZPIO8JI
The master boot record of drive #1 is infected with the NYB virus.
Unable to repair the master boot record.

Date: 12/29/2004, Time: 17:09:04, ariel on ARIEL-ELZPIO8JI
Virus scanning completed.
Master boot records:
Scanned: 2
Infected: 1
Repaired: 0
Boot records:
Scanned: 4
Infected: 0
Repaired: 0
Files:
Scanned: 108562
Infected: 0
Repaired: 0
Quar'ed: 0
Deleted: 0

Master boot record of drive 129------NYB--------Repair Failed

Drive 129 (81 if hexadecimal is used) is the slave (or if you prefer the second or the #1) drive in a series of drives so all the fdisking done so far will not have touched it. Drive 128 (80 if hexadecimal is used) is the master (or if you prefer the first or the #0) drive in a series of drives and is the one you have cleaned up.

Suggest you detach the current master and temporarily set and jumper the slave as the master. Then fdisk /mbr it from the Win98 floppy. Then go back to the original setup.

I was BTW wrong to have suggested using sys on WinXP partitions; - the nearest equivalent would be to run fixboot (http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/bootcons_fixboot.mspx) from the recovery console.

KOMSKY YOU ARE THE MAN!!!!!!
WOooooooooooW!!! :D

I just followed couple steps and it seems the situation has been solved. Norton did not alert me regarding the present of the NYB after I performed a full system scan just minutes ago.

Here are the steps I followed…

1-) I unplugged my computer from the power and made sure I was clean from static charge.
2-) I set the current Master Hard Drive as “slave” and the Slave Hard Drive as “master”. I also interchange the jumpers.
3-) Set the BIOS to boot up from Floppy drive.
4-) I inserted a clean-write-protected Windows 98 boot up Disk with Fdisk program
5-) Type fdisk /mbr --cleaning the current MBR ---Restart the computer
6-) Set the BIOS to boot up from CR-ROM
7-) Insert WinXP installation CD and logged on the recovery console
8-) I typed fixboot -- without the drive letter -- that means fix the boot sector for the current partition.
9-) Repeated the command for every partition I wanted to be cleaned.
fixboot c:
fixboot f:
fixboot d:
fixboot e:
10-) Followed Step 1
11-) Set Hard Drives to their previous position.
12-) Followed step 3
13-) Followed step 4
14-) Finally type again fdisk /mbr --- to clean the current MBR – if it had not been cleaned --- Restart with a VERY COLD reboot
15 -) Run FULL A/V scan… I was DONE!!!

THANKS EVERYONE & HAPPY NEW YEAR… :cool: