N
Norman Diamond
It seems that a friend got infected by a boot sector virus from something
that he picked up from the internet. Computer Associates' EZ-Armor runs
continuously but didn't block whatever needed blocking.
I booted his Windows XP Home CD (OEM but real, i.e. not a vendor's recovery
CD). In the repair console, the Diskpart command showed all partitions
intact, and the Dir command showed all top-level directories intact on
partitions D (where I had installed XP) and E (which he wasn't using yet,
but had System Volume Information and a bit of other stuff). He had already
booted a Windows ME emergency boot disk that he got from someone, and he had
done a Format C: because a magazine article said to, and it had worked
because I had created a small FAT32 C: partition for possible emergency use.
Well, no harm should have been caused by his actions, because it was easy
enough to use the Windows XP repair console to put the three necessary files
on the C: partition for XP to boot normally. But it didn't work.
In several continuing efforts, I used the Fixmbr and Fixboot commands
several times. Each time I used Fixmbr, it reported that the hard drive had
a non-standard or invalid MBR and warned of possible data loss, but I told
it Y. Yes I wanted to rewrite the MBR even if it might cause all the
partitions to be lost due to unknown manipulations by a boot sector virus.
But this warning wasn't going away. So finally I turned off the power,
booted the CD again, went straight to the repair console, ran Fixmbr, ran
Fixmbr again, ran Fixmbr again, and each time it said that it successfully
wrote the MBR but each next time it said that the hard drive still had a
non-standard or invalid MBR.
How does a boot sector virus survive all that, and how can I get rid of it?
Some bright people will guess that I was hitting the wrong drive's MBR, but
no, there's only one hard drive with a small primary partition and two
logical drives in an extended partition.
By the way I deleted Gator from his machine about a week earlier. I don't
know what he had run that brought Gator in, and I don't know why he told
EZ-Armor's version of Zone Alarm to allow Gator to download more garbage,
sigh. Hmm, does Gator garbage detect if Gator is only partly deleted and
then smash the victim's MBR? But even if so, still how does it survive
booting a Windows XP CD and running Fixmbr?
that he picked up from the internet. Computer Associates' EZ-Armor runs
continuously but didn't block whatever needed blocking.
I booted his Windows XP Home CD (OEM but real, i.e. not a vendor's recovery
CD). In the repair console, the Diskpart command showed all partitions
intact, and the Dir command showed all top-level directories intact on
partitions D (where I had installed XP) and E (which he wasn't using yet,
but had System Volume Information and a bit of other stuff). He had already
booted a Windows ME emergency boot disk that he got from someone, and he had
done a Format C: because a magazine article said to, and it had worked
because I had created a small FAT32 C: partition for possible emergency use.
Well, no harm should have been caused by his actions, because it was easy
enough to use the Windows XP repair console to put the three necessary files
on the C: partition for XP to boot normally. But it didn't work.
In several continuing efforts, I used the Fixmbr and Fixboot commands
several times. Each time I used Fixmbr, it reported that the hard drive had
a non-standard or invalid MBR and warned of possible data loss, but I told
it Y. Yes I wanted to rewrite the MBR even if it might cause all the
partitions to be lost due to unknown manipulations by a boot sector virus.
But this warning wasn't going away. So finally I turned off the power,
booted the CD again, went straight to the repair console, ran Fixmbr, ran
Fixmbr again, ran Fixmbr again, and each time it said that it successfully
wrote the MBR but each next time it said that the hard drive still had a
non-standard or invalid MBR.
How does a boot sector virus survive all that, and how can I get rid of it?
Some bright people will guess that I was hitting the wrong drive's MBR, but
no, there's only one hard drive with a small primary partition and two
logical drives in an extended partition.
By the way I deleted Gator from his machine about a week earlier. I don't
know what he had run that brought Gator in, and I don't know why he told
EZ-Armor's version of Zone Alarm to allow Gator to download more garbage,
sigh. Hmm, does Gator garbage detect if Gator is only partly deleted and
then smash the victim's MBR? But even if so, still how does it survive
booting a Windows XP CD and running Fixmbr?