boot problem/virus with Inaccessible_Boot_Device

[JJ]

Hi:
Last week after rebooting our win2k sp4 server, our server came up Blue

Screen with Inaccessible_Boot_Device error and even cannot go into Safe

mode. Used a Win2k startup CD
going into the recovery console and ran Chkdsk but came up with
nothing.

Use a DOS bootable disk and FDISK /MBR, the system was able to boot
normally then a message pop up saying something like: "The system has
been updated and you would need to reboot your system to take effect".
Once reboot the system went into Blue screen again.


We then mount the hard drive to another PC and ran several major
Anti-Virus such as Norton, Kaspersky. Kill some suspicious but still
get into Blue screen again with the same error. We then have to use
FDISK /MBR again in order to boot normally.


It seems that the system was infected with some kind of boot sector
virus that erase the partition boot section on every successful boot.
But none of our major anti-virus software was able to dis-infect it.
Anyone has any thought whether this is a virus? Is there any solution?



Much appreciated.

 

[David H. Lipman]

From: "JJ" <[email protected]>

| Hi:
| Last week after rebooting our win2k sp4 server, our server came up Blue
|
| Screen with Inaccessible_Boot_Device error and even cannot go into Safe
|
| mode. Used a Win2k startup CD
| going into the recovery console and ran Chkdsk but came up with
| nothing.
|
| Use a DOS bootable disk and FDISK /MBR, the system was able to boot
| normally then a message pop up saying something like: "The system has
| been updated and you would need to reboot your system to take effect".
| Once reboot the system went into Blue screen again.
|
| We then mount the hard drive to another PC and ran several major
| Anti-Virus such as Norton, Kaspersky. Kill some suspicious but still
| get into Blue screen again with the same error. We then have to use
| FDISK /MBR again in order to boot normally.
|
| It seems that the system was infected with some kind of boot sector
| virus that erase the partition boot section on every successful boot.
| But none of our major anti-virus software was able to dis-infect it.
| Anyone has any thought whether this is a virus? Is there any solution?
|
| Much appreciated.

If this is a NTFS partition then it is doubtful it is a Boot sector Infector.

The fact that you scanned it with AV software and did not come up with a Boot Sector
Infector is an afirmation of that.

Is this a RAID system or singular drive ?

 

[JJ]

David:
It is a NTFS partition and only one hard drive with the system. If not
a virus, why would the boot sector be damaged on every boot? I believe
the win2000 won't attempt to modify the boot sector.

Thanks.

 

[Gabriele Neukam]

It is a NTFS partition and only one hard drive with the system. If not
a virus, why would the boot sector be damaged on every boot? I believe
the win2000 won't attempt to modify the boot sector.

Not exactly, but AFAIK the boot sector virus would be neutered, if a NT
based system is started, so it could never re-infect the MBR, and
Windows re-writes the boot sector at boot up since Win95; so there is a
possibility that your Windows installation is bad.

I would never have tried the fdisk /mumble route, it is no good for NT
and its successors. Try booting the system from an external device (eg a
prepared Barts PE cdrom) and check if the system can be fixed by issuing
the fixmbr command (fixboot is probably needed for a revival of a XP
partition, if you installed any Win9x *after* the NT derivative)

HTH


Gabriele Neukam

(e-mail address removed)

 

[David H. Lipman]

From: "JJ" <[email protected]>

| David:
| It is a NTFS partition and only one hard drive with the system. If not
| a virus, why would the boot sector be damaged on every boot? I believe
| the win2000 won't attempt to modify the boot sector.
|
| Thanks.
|


Go to the hard disk manufacturer's web site and download their diagnostic software
respective to your hard disk. After the test, you will know if the hard disk is bad or
not..

Quantum/Maxtor - PowerMax
http://www.maxtor.com/en/support/downloads/powermax.htm

Western Digital - Data LifeGuard Tools (DLGDiag)
http://support.wdc.com/download/

Hitachi/IBM - Drive Fitness Test (DFT)
http://www.hgst.com/hdd/support/download.htm

Seagate - SeaTools
http://www.seagate.com/support/seatools/

Fujitsu - Diagnostic Tool
http://www.fcpa.com/download/hard-drives/

Samsung - Disk manager
http://www.samsung.com/Products/HardDiskDrive/utilities/shdiag.htm

 

[Zvi Netiv]

Hi:
Last week after rebooting our win2k sp4 server, our server came up Blue

Screen with Inaccessible_Boot_Device error and even cannot go into Safe
mode. Used a Win2k startup CD
going into the recovery console and ran Chkdsk but came up with
nothing.

Use a DOS bootable disk and FDISK /MBR, the system was able to boot
normally then a message pop up saying something like: "The system has
been updated and you would need to reboot your system to take effect".
Once reboot the system went into Blue screen again.

We then mount the hard drive to another PC and ran several major
Anti-Virus such as Norton, Kaspersky. Kill some suspicious but still
get into Blue screen again with the same error. We then have to use
FDISK /MBR again in order to boot normally.

It seems that the system was infected with some kind of boot sector
virus that erase the partition boot section on every successful boot.
But none of our major anti-virus software was able to dis-infect it.
Anyone has any thought whether this is a virus? Is there any solution?

The symptoms described are atypical to boot viruses. None of the old and known
ones behave like that (the purpose of all viruses is to spread, while hanging
the computer is counter effective from a virus writer standpoint), and boot
viruses written recently won't spread in the wild since Windows NT. NT and its
derivatives are the wrong "habitat" for boot infectors to prosper.

Yet the symptoms are typical to a dying hard drive. Follows a possible
explanation to what you are experiencing.

Modern hard drives handle bad sectors differently than the older ones. On the
latter, bad sectors were spotted by disk maintenance utilities and marked as
unusable in the FAT or MFT. Modern drives, OTOH, are produced and shipped with
a finite amount of spare sectors, used to replace those that turn bad. The
replacement of a bad sector takes place on _writing_ to it.

What may be happening with your drive is that it produces bad sectors at an
increasing rate. If the MBR sector went marginal, or bad, then running FDISK
/MBR will not only rewrite the sector, but also relocate a weak sector with a
spare one. Then, the relocated sector will go bad on its turn, and another
replacement with FDISK /MBR will buy some more time ... and so on.

If the drive contains vital data, then my advice is to clone (as long as you
still can) with a sector by sector duplicator (look at CloneDisk at
www.resq.co.il/resq.php , last paragraph, and there are other packages as
well).

You may wish to verify the drive with diagnostics software, as advised by David,
but bear in mind that you may just exhaust the last breath of it before having
the chance to clone the drive.

Regards, Zvi

 

[Zvi Netiv]

Not exactly, but AFAIK the boot sector virus would be neutered, if a NT
based system is started, so it could never re-infect the MBR, and
Windows re-writes the boot sector at boot up since Win95; so there is a
possibility that your Windows installation is bad.

You are correct that Win32 versions write to the MBR, but not systematically,
and not on every boot. Particularly, when their double-word marker is not
found.

I would never have tried the fdisk /mumble route, it is no good for NT
and its successors.

That nonsense about FDISK /MBR has been repeated here too many times and it's
time to give it up. As a matter of fact, FDISK /MBR is fine for NT too.
Although there is a minor difference between the MBR loader code since Windows
98 from earlier versions, still FDISK /MBR from even DOS 6 will write a proper
functional MBR loader to start W2K, and even XP.

Try booting the system from an external device (eg a
prepared Barts PE cdrom) and check if the system can be fixed by issuing
the fixmbr command (fixboot is probably needed for a revival of a XP
partition, if you installed any Win9x *after* the NT derivative)

FIXMBR and FIXBOOT aren't external commands and they are NOT available from
Windows command prompt, NEITHER from the Bart PE command line! The two commands
are only available on booting from the W2K/XP setup CD, in "repair console"
mode!

In this particular case, the OP did the right thing in using FDISK /MBR,
although for the wrong reason (he was wasting time in chasing a virus ghost,
instead of backing up the data and replacing the drive).

Regards, Zvi