VIRUS in MBR?

[Guest]

How do you go about finding out if you have a virus and how do you remove it
if your computer won't boot up? How do you prevent loss of data when your
MBR has been changed by a virus? What exactly happens if you use FDISK /MBR?

Thanks.

 

[Rob Schneider]

Why is it you think you have a virus in the master boot record?

You are using some sort of virus-detectoin software? Doesn't it find it?

 

[Guest]

Why is it you think you have a virus in the master boot record?

You are using some sort of virus-detectoin software? Doesn't it find it?

I had a message pop up telling me that my boot record was changed and then
after that my computer won't reboot. I'm guessing a virus will do that. I
tried to use Norton to fix the problem the moment I got that message, but I
wasn't able to get it to work. Now I can't boot from that hard drive. I'm
searching for viruses from a different hard drive on the same motherboard but
nothing has come up so far. I just read that you should try to remove
viruses and not rely on FIXMBR.
http://www.microsoft.com/resources/...Windows/XP/all/reskit/en-us/prkd_tro_oxhc.asp

I'm just trying to figure out if I can even save the data on the hard drive
or if I'm stuck having to start over from scratch and reinstall everying.

H

 

[Barry Watzman]

The CDs for anti-virus software (such as Norton) are normally bootable
and will scan the MBR. Of course, it may not help if the virus in
question is newer than the CD.

FDISK/MBR will write a new MBR. The partition data table will come from
the old MBR, but not the boot code, so normally you can do it without
screwing up your drive, but it's not guaranteed (some of the virus' will
"mung" the table so that you can only boot properly via the virus).

 

[Chad Harris]

Gator--

Right now your analysis is based completely on loose conjecture. I'm not
criticizing *you*, but why spin your wheels chasing demons that might not
exist? You don't have any evidence at all of a boot sector or any other
virus yet, and you have an error that says your MBR has been reconfigured.
As you know as with any disease, a lot of symptoms occur that can be from
dispate causes. Can you get up to Windows at all? Can you F8 to Safe Mode
and System Restore? What happens when you F8 and try Last Known Good
Configuration? How about booting from the CD and trying a repair install?


How to Perform a Windows XP Repair Install
http://www.michaelstevenstech.com/XPrepairinstall.htm


Once you get to Windows, run a viral scan and go from there. Your virus CD
should have a mechnaism if you can't boot, but I'd try to get to Windows and
run a viral scan.

How to Protect Boot Sector from Viruses in Windows
http://support.microsoft.com/default.aspx?scid=kb;en-us;122221&Product=winxpDetection of a Boot Virushttp://www.viruslist.com/eng/viruslistbooks.html?id=85Disk Concepts and Troubleshooting: MBR Viruseshttp://www.microsoft.com/windows2000/techinfo/reskit/en-us/default.asp?url=/windows2000/techinfo/reskit/en-us/prork/prcb_dis_ttbv.aspResources for troubleshooting startup problems in Windows XPhttp://support.microsoft.com/default.aspx?scid=kb;en-us;308041&Product=winxphth,Chad Harris________________________"HtheGator" <[email protected]> wrote in messagedo you go about finding out if you have a virus and how do you remove itif your computer won't boot up? How do you prevent loss of data when yourMBR has been changed by a virus? What exactly happens if you use FDISK/MBR?Thanks.

 

[Chad Harris]

Gator--

Right now your analysis is based completely on loose conjecture. I'm not
criticizing *you*, but why spin your wheels chasing demons that might not
exist? You don't have any evidence at all of a boot sector or any other
virus yet, and you have an error that says your MBR has been reconfigured.
As you know as with any disease, a lot of symptoms occur that can be from
disparate causes. Can you get up to Windows at all? Can you F8 to Safe
Mode
and System Restore? What happens when you F8 and try Last Known Good
Configuration? How about booting from the CD and trying a repair install?

How to Perform a Windows XP Repair Install
http://www.michaelstevenstech.com/XPrepairinstall.htm

Once you get to Windows, run a viral scan and go from there. Your virus CD
should have a mechnaism if you can't boot, but I'd try to get to Windows and
run a viral scan.

How to Protect Boot Sector from Viruses in Windows
http://support.microsoft.com/default.aspx?scid=kb;en-us;122221&Product=winxp

Detection of a Boot Virus
http://www.viruslist.com/eng/viruslistbooks.html?id=85Disk

Concepts and Troubleshooting: MBR Virusesh
http://www.microsoft.com/windows200...techinfo/reskit/en-us/prork/prcb_dis_ttbv.asp

Resources for troubleshooting startup problems in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;308041&Product=winxp

hth,

Chad Harris
____________________________________________________________






How do you go about finding out if you have a virus and how do you remove it
if your computer won't boot up? How do you prevent loss of data when your
MBR has been changed by a virus? What exactly happens if you use FDISK
/MBR?

Thanks.

 

[Guest]

Thanks Chad, and to answer your questions...

As you know as with any disease, a lot of symptoms occur that can be from
disparate causes. Can you get up to Windows at all? *no*

Can you F8 to Safe Mode and System Restore?

*don't know, I just let it boot as far as it will go and it finishes on a
screen telling me to pick a mode and then it just reboots*

What happens when you F8 and try Last Known Good Configuration?

*I don't push F8 but picking Last Known Good from the before mentioned
screen reboots computer and takes me back to the same screen*

How about booting from the CD and trying a repair install?

*a suggestion I will try*

Yes, a lot of conjecture because I had no idea what happened and I
didn't know what to try first. Running the virus scan from my other hard
drive was up to date and it didn't find any viruses at all on any hard
drives, MBRs, etc.
I've read a great deal more sense I posted yesterday and I'm starting
to understand where I need to lauch my attack from and what the different
actions will result in. I will reboot and try to use the F8 key to access
safe mode and last known good. After that I will try to boot from the CD and
do the repair install, if I get into windows I'll run the virus scan.
What type of program could have manipulated my boot record in the first
place? This happened on two different hard drives, one running ME and the
other XP Home.

I will continue to read and thanks for all the help.
-H

 

[Chad Harris]

Gator--

The light to turn the corner to get to the end of the tunnel is to get you
to Windows. Once there, you can get all kind of good advice here to
troubleshoot your MBR and rule out a virus and if you have to what to do.
I'm not sure of your backup situation, and I always play these assuming
someone may not have the current backup they wish they had so I don't want
you to lose any data (documents, pictures, ect.).

*What kind of program could have manipulated your MBR in the first place?*
I'm not sure but some 3rd party snap shot programs like Roxio Go Back mess
with the MBR and they *can* spell disaster because of it. Remember too,
not every Windows error message is a literally accurate reflection of what's
really happening. I'm purest enough to not want any 3rd party reconfiguring
a Windows MBR--to me it's like someone screwing with an elevator on its way
to the top of a skyscraper to use an elegant analogy. {: >) I know you're
concerned about that error message you saw, and to investigate what happened
further, you may get info from Event Viewer by going to your run box, typing
in "eventvwr.msc" and under Application and System scroll down to the time
you got the error and read the yellow and redmarked error messages under
both categories.

I know that you are concerned about your MBR but if you get to Windows and
rule out a virus, and things work well and you don't see that error message,
I wouldn't worry about it at that point unless and until you get a signal
somethings up or there is a problem.

1) Your fastest and easiest way to Windows if it works is to F8 to Safe Mode
and then run System Restore. If you get there, just put "restore" in your
run box, and then click on "rstrui." But anyway you want to go to System
Restore--Help and Support/msconfig/Acessories is fine--they all get there.

SR is definitely superior to LKG, because one of the problems with LKG is
that it is a snapshot from your last boot and a lot could have happened
since then. I rarely see LKG work in all honesty, although the team that
wrote the XP Resource Kit seems to think it's the fist thing to try. I
really respectfully disagree with them. LKG has 2 downsides: 1) it
statistically rarely ever works--2) you lose changes to settings and
configurations you made *since* your last start and that can be a long time
for some of us--days even.

2) You could boot to the Recovery Console and run the fixmbr command, but
you really don't know whether it fixed it or not, and although it can be
useful to access the OS when you can't get to windows and is very powerful
in rebuilding components, I would use it as a last resort because of its
unpredictability. I do like it to run chkdsk /r from in selected
situations.

Here are some links for a repair/upgrade install which I think you will have
a reasonable chance to get back with.

How to Perform a Windows XP Repair Install
http://www.michaelstevenstech.com/XPrepairinstall.htm

How to install or upgrade to Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;316941&Product=winxp

Chad Harris
_________________________________________________



Thanks Chad, and to answer your questions...

As you know as with any disease, a lot of symptoms occur that can be from
disparate causes. Can you get up to Windows at all? *no*

Can you F8 to Safe Mode and System Restore?

*don't know, I just let it boot as far as it will go and it finishes on a
screen telling me to pick a mode and then it just reboots*

What happens when you F8 and try Last Known Good Configuration?

*I don't push F8 but picking Last Known Good from the before mentioned
screen reboots computer and takes me back to the same screen*

How about booting from the CD and trying a repair install?

*a suggestion I will try*

Yes, a lot of conjecture because I had no idea what happened and I
didn't know what to try first. Running the virus scan from my other hard
drive was up to date and it didn't find any viruses at all on any hard
drives, MBRs, etc.
I've read a great deal more sense I posted yesterday and I'm starting
to understand where I need to lauch my attack from and what the different
actions will result in. I will reboot and try to use the F8 key to access
safe mode and last known good. After that I will try to boot from the CD
and
do the repair install, if I get into windows I'll run the virus scan.
What type of program could have manipulated my boot record in the first
place? This happened on two different hard drives, one running ME and the
other XP Home.

I will continue to read and thanks for all the help.
-H

 

[Guest]

Ok, here's an update...

I attempted to use F8 at many different times during the boot up process and
nothing happened. I was taken back to the screen that says... (paraphrasing)
"sorry for any inconvience but windows wasn't shut down properly... a program
may have caused this... select one of the choices below..."
My choices are Safe Mode, safe mode with command prompt, last known good
configuration, normal boot up. I chose each option and it would reboot the
computer and eventually bring me back to that screen.
Next I dropped in the XP CD and attempted to use the recovery tools. I
attempted the reinstall option but it said that I would loose all information
on the hard drive. Since I'm trying to ont have to start over, I passed on
that option at that time. I next tried to use the FIXMBR that everyone was
talking about. It said that it worked and I rebooted; but nothing changed.
I'm now back on the hard drive using 98SE and I can still access the
information but cannot boot from the XP Home hard drive.
Back to reading more.

Thanks,
H

 

[davexnet02]

Ok, here's an update...

I attempted to use F8 at many different times during the boot up process and
nothing happened. I was taken back to the screen that says... (paraphrasing)
"sorry for any inconvience but windows wasn't shut down properly... a program
may have caused this... select one of the choices below..."
My choices are Safe Mode, safe mode with command prompt, last known good
configuration, normal boot up. I chose each option and it would reboot the
computer and eventually bring me back to that screen.
Next I dropped in the XP CD and attempted to use the recovery tools. I
attempted the reinstall option but it said that I would loose all information
on the hard drive. Since I'm trying to ont have to start over, I passed on
that option at that time. I next tried to use the FIXMBR that everyone was
talking about. It said that it worked and I rebooted; but nothing changed.
I'm now back on the hard drive using 98SE and I can still access the
information but cannot boot from the XP Home hard drive.
Back to reading more.

Thanks,
H

Hello -
have you tried a DOS floppy virus check?
Here's one -
http://www.f-prot.com/download/download_fpdos.html
Dave

 

[Chad Harris]

HtheGator--

Do a repair install and you won't lose your data and settings.

This is important. I'm getting you to the process that will *not lose your
information.* Please read Michael Steven's article (I linked in the last
two posts) and then look at the upgrade install:

http://www.michaelstevenstech.com/XPrepairinstall.htm

Read http://www.michaelstevenstech.com/XPrepairinstall.htm#warning2

Also (Same thing):

http://www.dougknox.com/xp/tips/xp_repair_install.htm
A Repair Install will replace the system files with the files on the XP CD
used for the Repair Install. It will leave your applications and settings
intact, but Windows updates will need to be reapplied.

First F2 to the bios screen --and change your boot order, and make sure
that booting from the CD-ROM is ahead of the other two (the A Drive and the
hard drive).

When you see the "Welcome To Setup" screen, you will see the options below

This portion of the Setup program prepares Microsoft
Windows XP to run on your computer:

To setup Windows XP now, press ENTER.

1.. Press Enter to start the Windows Setup.
do not choose "To repair a Windows XP installation using the Recovery
Console, press R", (you Do Not want to load Recovery Console). I repeat, do
not choose "To repair a Windows XP installation using the Recovery Console,
press R".
2.. Accept the License Agreement and Windows will search for existing
Windows installations.
3.. Select the XP installation you want to repair from the list and press
R to start the repair. If Repair is not one of the options, read this
Warning#2!
4.. Setup will copy the necessary files to the hard drive and reboot. Do
not press any key to boot from CD when the message appears. Setup will
continue as if it were doing a clean install, but your applications and
settings will remain intact.
or Press ENTER to set up Windows XP.
On the Windows XP Licensing Agreement screen, press F8 to agree to the
license agreement.
Make sure that your current installation of Windows XP is selected in the
box, and then press R to repair Windows XP.
Follow the instructions that appear on the screen to reinstall Windows XP.
After you repair Windows XP, you may have to reactivate your copy of Windows
XP.
What I'm leading you to do is what MSFT calls a "repair" or "ugrade
install." Michael Stevens and Doug Knox's link of exactly tell you
exactly how to do this and it's very simple. It will not lose your
information at all. You are going to go through the setup including
putting in your product ID as if you were reinstalling Windows, but you are
booting from the CD and then follow the steps Michael shows you. *You will
not get the chance to format your drive or to decide how much space you want
to alot each partition here.* You will be replacing files that you are
missing and you may well repair the MBR. The trouble with the Recovery
Console command that you ran, and when I do that I also run bootcfg /repair
and fixboot as well, is it's not a sure thing and we don't know if it fixed
your MBR although it said it did if your MBR was the problem.

This is your best hope. Another much less desirable method is the parallel
install in the MSKB but this requires you to extract your data.

Good luck--Do the Repair Install--it will in all probability get you back.
It will not lose your data ect. The worst that could happen is that it just
will not go.

Chad Harris

_____________________________________________________________



Ok, here's an update...

I attempted to use F8 at many different times during the boot up process and
nothing happened. I was taken back to the screen that says...
(paraphrasing)
"sorry for any inconvience but windows wasn't shut down properly... a
program
may have caused this... select one of the choices below..."
My choices are Safe Mode, safe mode with command prompt, last known good
configuration, normal boot up. I chose each option and it would reboot the
computer and eventually bring me back to that screen.
Next I dropped in the XP CD and attempted to use the recovery tools. I
attempted the reinstall option but it said that I would loose all
information
on the hard drive. Since I'm trying to ont have to start over, I passed on
that option at that time. I next tried to use the FIXMBR that everyone was
talking about. It said that it worked and I rebooted; but nothing changed.
I'm now back on the hard drive using 98SE and I can still access the
information but cannot boot from the XP Home hard drive.
Back to reading more.

Thanks,
H

 

[Chad Harris]

H the Gator--

Here are some screenshots of the repair/upgrade no format install to help
you context--whether you have Home or Pro it's going to be the same.

http://www.windowsreinstall.com/winxppro/installxpcdrepair/index.htm

Chad Harris
___________________


Ok, here's an update...

I attempted to use F8 at many different times during the boot up process and
nothing happened. I was taken back to the screen that says...
(paraphrasing)
"sorry for any inconvience but windows wasn't shut down properly... a
program
may have caused this... select one of the choices below..."
My choices are Safe Mode, safe mode with command prompt, last known good
configuration, normal boot up. I chose each option and it would reboot the
computer and eventually bring me back to that screen.
Next I dropped in the XP CD and attempted to use the recovery tools. I
attempted the reinstall option but it said that I would loose all
information
on the hard drive. Since I'm trying to ont have to start over, I passed on
that option at that time. I next tried to use the FIXMBR that everyone was
talking about. It said that it worked and I rebooted; but nothing changed.
I'm now back on the hard drive using 98SE and I can still access the
information but cannot boot from the XP Home hard drive.
Back to reading more.

Thanks,
H

 

[Alex Nichol]

FDISK/MBR will write a new MBR. The partition data table will come from
the old MBR, but not the boot code, so normally you can do it without
screwing up your drive, but it's not guaranteed (some of the virus' will
"mung" the table so that you can only boot properly via the virus).

For that reason - which might make the disk unusable -, you should first
try to heal the matter with a good DOS mode AV run from a DOS boot
floppy.

If you should lose the partition tables after using FDISK /MBR, get the
MBRWORK free program from free downloads at www.bootitng.com to run
from a DOS boot floppy. Use its commands
1 to backup
3 then 4 to delete present entries: there will then be the possibility
of
A
to search the disk and rebuild the table, and finally
7
to rewrite the MBR code again

 

[Guest]

I'm back in action... and that's why I haven't responded in so long!
Initially I misunderstood the whole reinstall thing and when I attempted it
the first time I picked the wrong option saying it was going to wipe it all
out. But then I re-read the article you recommended and it all suddenly made
sense. Once XP was back up I downloaded the new updates for virus scanning
and scanned away. No virus, no worm, no idea what caused it yet. I do have
some Roxio product installed but I thought it was just a CD/DCD burning
program. I'll keep working on it and see what I can find.

Thanks Chad, you really know what you're doing!

Since I have this problem on another hard drive with ME as my O/S, will the
same process of reinstalling work?

 

[Chad Harris]

HtheGator--

I'm glad things are working out. Repair or an Inplace/upgrade install is a
tool I think very worth reaching for if you have NTFS partitions which many
boot disks unless there are specialized tools won't read and a lot more
reliable than just trying to guess which Recovery Console commands might
help you and not getting direct feedback to the extent they did unless you
are booting back up.

MSFT's KB that is most direct on this is:

How to perform an in-place upgrade (reinstallation) of Windows XP
http://support.microsoft.com/default.aspx?scid=KB;en-us;q315341

Check and see whatever Roxio program you have and try to stay away from Go
Back which has been bought by Symantec now.

You can do an inplace upgrade in Windows ME--I didn't find a KB directly on
it, but I I have done it. It's been a good while and I try to forget ME
like a bad hangover. A couple things to remember though when you have ME.
Here's a reference for you confirming that:

Upgrading from Previous Versions of Windows
http://www.microsoft.com/windowsxp/pro/upgrading/matrix.mspx

http://www.windowsreinstall.com/install/winme/installme/page1.htm

http://www.windowsreinstall.com/install/textonly/upgrademe.htm
http://www.windows-help.net/windowsMe/install2.shtml


For screenshots of an upgrade install on Win ME:

http://www.windowsreinstall.com/indexwinme.htm


1) ME does have System Restore if you can get to it.
2) ME has another interesting restoration tool that can really save you when
it works. "It's scanreg /restore" in your run box with a space before the
slash.

Also don't forget to backup. I highly recommend Retrospect or Centered
Systems Second Copy because they can easily do differential or incremental
backups and think either is well worth having.

http://www.dantz.com/
http://www.centered.com/

You want to steer clear of the Backup Utility that you could install from a
Win XP Home CD or installs on XP Pro because it is awkward and doesn't back
up to media. There is a free one that's better:

My Own Backup 2.1
http://www.pcworld.com/downloads/file_description/0,fid,7023,00.asp


Best,

Chad Harris

_________________________________________________


I'm back in action... and that's why I haven't responded in so long!
Initially I misunderstood the whole reinstall thing and when I attempted it
the first time I picked the wrong option saying it was going to wipe it all
out. But then I re-read the article you recommended and it all suddenly
made
sense. Once XP was back up I downloaded the new updates for virus scanning
and scanned away. No virus, no worm, no idea what caused it yet. I do have
some Roxio product installed but I thought it was just a CD/DCD burning
program. I'll keep working on it and see what I can find.

Thanks Chad, you really know what you're doing!

Since I have this problem on another hard drive with ME as my O/S, will the
same process of reinstalling work?