Boot sector virus - NTFS?

[Briggers]

I believe I have a boot sector virus; both HD's were installed on PC, PC
crashed and would not re-boot. When I tried to re-install XP pro on the main
HD I got "windows has detected a fault and has shut down" reports ends with
0x0000007b etc. This also happened when I tried to install XP on the other
drive.

I installed XP on a clean drive without any problems until I set one of the
original drives up as a slave - this made the clean HD unbootable.

McAfee told me that you cannot get a boot sector virus on a disk formatted
to NTFS, if this is true, what's the problem?

Any help would be very gratefully received.

David Brigden

 

[Steve N.]

I believe I have a boot sector virus; both HD's were installed on PC, PC
crashed and would not re-boot. When I tried to re-install XP pro on the main
HD I got "windows has detected a fault and has shut down" reports ends with
0x0000007b etc. This also happened when I tried to install XP on the other
drive.

I installed XP on a clean drive without any problems until I set one of the
original drives up as a slave - this made the clean HD unbootable.

McAfee told me that you cannot get a boot sector virus on a disk formatted
to NTFS, if this is true, what's the problem?

It's not true and you must have mis-read something. Boot sector viruses
don't give a rip what file system the drive is formatted with, the boot
sector itself is independant of the file system, although the MBR
(Master Boot Record) does contain some FS information, but they are not
the same thing. Re-formatting a drive will not remove a boot sector
virus, niether with deleting and re-creating the primary partition and
re-installing the OS. Re-writing the MBR will, though, using either
FDISK /MBR after booting from a Win98 boot diskette or with FIXMBR after
booting from an XP CD, as this also re-writes the boot sector with
generic bootstrap code.

Steve

 

[Briggers]

It's not true and you must have mis-read something. Boot sector viruses
don't give a rip what file system the drive is formatted with, the boot
sector itself is independant of the file system, although the MBR (Master
Boot Record) does contain some FS information, but they are not the same
thing. Re-formatting a drive will not remove a boot sector virus, niether
with deleting and re-creating the primary partition and re-installing the
OS. Re-writing the MBR will, though, using either FDISK /MBR after booting
from a Win98 boot diskette or with FIXMBR after booting from an XP CD, as
this also re-writes the boot sector with generic bootstrap code.

Steve

Thanks Steve,

Good info! Andy, one of the techies at McAfee did say that NTFS cannot get a
boot sector virus - I must get back to him.

Can I run FDISK/MBR or FIXMBR from a command window in XP?

Thanks

David

 

[Malke]

Briggers wrote:

Good info! Andy, one of the techies at McAfee did say that NTFS cannot
get a boot sector virus - I must get back to him.

Can I run FDISK/MBR or FIXMBR from a command window in XP?

No, of course not. You have to be *outside* the operating system to do
this. Either boot with your XP cd and start the Recovery Console and
run "fixmbr" or boot with a Win98 floppy and do "fdisk /mbr". Note that
there is a space between "fdisk" and "/mbr".

Malke

 

[Steve Nielsen]

Thanks Steve,

Good info! Andy, one of the techies at McAfee did say that NTFS cannot get a
boot sector virus - I must get back to him.

Can I run FDISK/MBR or FIXMBR from a command window in XP?

No. As I said, the MBR can be re-written with FDISK /MBR after booting
from a Win98 boot diskette or with FIXMBR after booting from an XP CD.

Thanks

David

You're welcome.

Steve

 

[Rock]

I believe I have a boot sector virus; both HD's were installed on PC, PC
crashed and would not re-boot. When I tried to re-install XP pro on the main
HD I got "windows has detected a fault and has shut down" reports ends with
0x0000007b etc. This also happened when I tried to install XP on the other
drive.

I installed XP on a clean drive without any problems until I set one of the
original drives up as a slave - this made the clean HD unbootable.

McAfee told me that you cannot get a boot sector virus on a disk formatted
to NTFS, if this is true, what's the problem?

Any help would be very gratefully received.

David Brigden

0x0000007B: INACCESSIBLE_BOOT_DEVICE
http://aumha.org/win5/kbestop.htm

 

[Alex Nichol]

I installed XP on a clean drive without any problems until I set one of the
original drives up as a slave - this made the clean HD unbootable.

McAfee told me that you cannot get a boot sector virus on a disk formatted
to NTFS, if this is true, what's the problem?

That is not true at all. The boot sector is code run well before the
partition on Hard disk has been accessed to find what file system is in
use. What you have sounds like one of the boot sector viruses that
moves the partition table of the drive away to make some room for
itself. If the virus code is not executed (because you are no longer
booting that drive) then it does not provide the access to that moved
table.

What I suggest is getting MBRWORK from the free tools at
www.bootitng.com
Put it on a MSDOS startup disk (eg as made as an option when you format
a floppy from My Computer).

While this has an option to work with multiple drives it might be most
sensible if for the moment you have the questionable one connected,
alone, in the normal boot place. Then boot the floppy and run
MBRWORK
Use its commands
1
to back up so you could unwind with 2
3 then 4
to delete current items in the first track; there will then be the
possibility of
A
to scan the drive for partitions and make a new table
5
to write new MBR code so it could be booted if you ever wanted to

 

[Alex Nichol]

No, of course not. You have to be *outside* the operating system to do
this. Either boot with your XP cd and start the Recovery Console and
run "fixmbr" or boot with a Win98 floppy and do "fdisk /mbr". Note that
there is a space between "fdisk" and "/mbr".

If as it sounds the disk does have one of the boot viruses that
displaces the partition table, that will make it inaccessible. See my
suggestion, separately

 

[Malke]

If as it sounds the disk does have one of the boot viruses that
displaces the partition table, that will make it inaccessible. See my
suggestion, separately

Thanks, Alex. I've made a note of your comments.

Malke

 

[Steve Nielsen]

Briggers wrote:




That is not true at all. The boot sector is code run well before the
partition on Hard disk has been accessed to find what file system is in
use. What you have sounds like one of the boot sector viruses that
moves the partition table of the drive away to make some room for
itself. If the virus code is not executed (because you are no longer
booting that drive) then it does not provide the access to that moved
table.

What I suggest is getting MBRWORK from the free tools at
www.bootitng.com
Put it on a MSDOS startup disk (eg as made as an option when you format
a floppy from My Computer).

While this has an option to work with multiple drives it might be most
sensible if for the moment you have the questionable one connected,
alone, in the normal boot place. Then boot the floppy and run
MBRWORK
Use its commands
1
to back up so you could unwind with 2
3 then 4
to delete current items in the first track; there will then be the
possibility of
A
to scan the drive for partitions and make a new table
5
to write new MBR code so it could be booted if you ever wanted to

Interesting sounding tool, I'll have to check it out. But for the sake
of quickly fixing the OP's problem would it not be easier to simply use
FDISK /MBR or FIXMBR?

Steve

 

[Alex Nichol]

Interesting sounding tool, I'll have to check it out. But for the sake
of quickly fixing the OP's problem would it not be easier to simply use
FDISK /MBR or FIXMBR?

Not if he has one of the nasty boot viruses I am pretty sure he has.
Those displace the partition table and replace the MBR code with their
own, one part of which allows access to the displaced PT as needed. So
if you FDISK /MBR and restore standard code, this redirection is no
longer possible and the PT is inaccessible. Or if, as in his case, you
move the disk so you no longer boot via the virus's modified code.

You could get the same happen with some of the BIOS extender programs on
disks used with very old BIOSes - eg Ontrack, but that is unlikely these
days

 

[Al Dykes]

It's not true and you must have mis-read something. Boot sector viruses
don't give a rip what file system the drive is formatted with, the boot
sector itself is independant of the file system, although the MBR
(Master Boot Record) does contain some FS information, but they are not
the same thing. Re-formatting a drive will not remove a boot sector
virus, niether with deleting and re-creating the primary partition and
re-installing the OS. Re-writing the MBR will, though, using either
FDISK /MBR after booting from a Win98 boot diskette or with FIXMBR after
booting from an XP CD, as this also re-writes the boot sector with
generic bootstrap code.

Steve

Are boot sector viruses even possible in NT/w2k/XP/Linux ? ISTM that
the user has to boot an infected floppy (or A CD, I guess) that writes a
virus on the hard disk before the real OS takes over.

 

[Steve N.]

Are boot sector viruses even possible in NT/w2k/XP/Linux ?
Yes.

ISTM that
the user has to boot an infected floppy (or A CD, I guess) that writes a
virus on the hard disk before the real OS takes over.

Yes, that is a common infection method and is irrespective of the OS,
but running an infected executable within the OS can also infect the
disk with some boot sector viruses.

Steve

 

[Steve Nielsen]

Steve Nielsen wrote:




Not if he has one of the nasty boot viruses I am pretty sure he has.
Those displace the partition table and replace the MBR code with their
own, one part of which allows access to the displaced PT as needed. So
if you FDISK /MBR and restore standard code, this redirection is no
longer possible and the PT is inaccessible. Or if, as in his case, you
move the disk so you no longer boot via the virus's modified code.

You could get the same happen with some of the BIOS extender programs on
disks used with very old BIOSes - eg Ontrack, but that is unlikely these
days

This doesn't make sense to me. The MBR and PT occupy the same sector.
When a standard MBR is written does it not re-write the PT as well?

Yes, I know about the things like Ontrack's non-standard MBR and BIOS
translation, writing a standard MBR to a disk using that will result in
non-bootable/inaccessible drive.

Steve

 

[Bill Blanton]

This doesn't make sense to me. The MBR and PT occupy the same sector.
When a standard MBR is written does it not re-write the PT as well?

An fdisk /mbr only replaces the code portion of the mbr. It leaves the tables
alone in normal circumstances. The exception is if the ending sector signature
is missing from the mbr sector. In that case it will overwrite the tables as
one "big" primary.

Yes, I know about the things like Ontrack's non-standard MBR and BIOS
translation, writing a standard MBR to a disk using that will result in
non-bootable/inaccessible drive.

As well as "stealth" boot viruses that relocate the tables, as mentioned.

 

[Steve N.]

An fdisk /mbr only replaces the code portion of the mbr. It leaves the tables
alone in normal circumstances. The exception is if the ending sector signature
is missing from the mbr sector. In that case it will overwrite the tables as
one "big" primary.

Thanks. Didn't know that. I've always thought of MBR as containing the PT.

As well as "stealth" boot viruses that relocate the tables, as mentioned.

Got it.

Steve

 

[Alex Nichol]

This doesn't make sense to me. The MBR and PT occupy the same sector.
When a standard MBR is written does it not re-write the PT as well?

No. It only rewrites the MBR code. It has no basis for finding what
should be in the PT and leaves that area of the sector alone

 

[Steve Nielsen]

Steve Nielsen wrote:




No. It only rewrites the MBR code. It has no basis for finding what
should be in the PT and leaves that area of the sector alone

Got it. Thanks Alex.

Steve

 

[CZ]

Steve wrote:
This doesn't make sense to me. The MBR and PT occupy the same sector.
When a standard MBR is written does it not re-write the PT as well?

Alex wrote:
No. It only rewrites the MBR code. It has no basis for finding what
should be in the PT and leaves that area of the sector alone

Alex:

Not true. If the Boot Record Signature is missing from the end of the MBR
sector, then the partition table should be overwritten.

Per MS TechNet:
"Running Fdisk /mbr in MS-DOS overwrites only the first 446 bytes of the
MBR, the portion known as the master boot code, leaving the existing
partition table intact. However, if the signature word (the last two bytes
of the MBR) has been deleted, the partition table entries are overwritten
with zeros."