Solved

Turning off Virus/MBR change detection

Posted on 1997-06-10
10
214 Views
Last Modified: 2013-12-16
Hi All,
I need a way to turn off the virus/mbr change detection that windows 95 seems to want to do at startup.  I've made a change to the way we do things here and now 'some' of the machines seem to think that the MBR has been changed and windows 95 says that it maybe a virus.  I know that it's not and would like to turn this message off.  So, any ideas would be well appreciated.  Take care,
 DL
0
Comment
Question by:dragonlord
  • 5
  • 4
10 Comments
 
LVL 14

Expert Comment

by:smeebud
ID: 1748749
How far do you get before the message??
Is it a message, if so, whay exactly does it say.
Also, Are you running NT or 95, and what is your anti-virus software?
As far as I know running a MRB does not hurt. What about a onetime running to see if the message stops??

let me know if I'm off base.
0
 
LVL 1

Author Comment

by:dragonlord
ID: 1748750
Everything still works.  It's the message that says something to the effect that 'the master boot record has been chagned...'  It doesn't happen on all of our machines, so, it's just a pain, not a real problem.  I'd still like to get rid of it.  We aren't running any virus software right now. We're running windows 95 btw :)
0
 
LVL 2

Expert Comment

by:czamudio
ID: 1748751
Win95 does not have virus protection, check if your config.sys or autoexec.bat has any reference to an antivirus program.
0
 
LVL 14

Expert Comment

by:smeebud
ID: 1748752
If you can catch that message it would be good. MSKB has a list of almost all the error or other messages. I'll see what I can do with that.
SEE Built-In Anti-Virus Support in Windows 95  at
http://www.microsoft.com/kb/articles/q143/2/81.htm
I think you should go to that address because it will ask you if it answered you question, then give you more options for other avenues to pursue.
In case you can't get thru, here is an excerpt"
-------------------------
Recognizing Master Boot Record (MBR) Modifications

Most viruses infect your computer by modifying the MBR and hooking the INT13h chain. This allows
the virus to monitor hard disk access and damage the data on your hard disk. Windows 95 prevents
this type of virus from damaging your data by maintaining a list of the programs that are currently
hooking the INT13h chain. Each time you start your computer, Windows 95 checks to see which
programs are monitoring the INT13h chain, and then compares this list of programs with the list that
it recorded the last time Windows 95 started. If any new programs that Windows 95 does not
recognize have hooked the INT13h chain, the following message is displayed:

WARNING: Your computer may have a virus. The Master Boot Record on your
computer has been modified. Would you like to see more information?


If you click Yes, the Performance tab in System Properties is displayed, which provides more
information and allows you to begin troubleshooting the problem.

This situation is most likely to occur when you start an operating system other than Windows 95
using a bootable floppy disk. If the floppy disk is infected with a virus, the virus will most likely modify
the MBR on the hard disk and hook the INT13h chain. When you remove the floppy disk and start
your computer normally, Windows 95 recognizes that the MBR has been modified and that the
INT13h chain has been hooked by an unknown program. The warning you receive gives you an
opportunity to remove the virus before it can damage your data.

When a virus modifies the MBR, the Performance tab in System properties and the Ios.log file
typically report that a file called Mbrint13.sys is causing drives to be accessed in MS-DOS
Compatibility mode. To access the Performance tab, double-click the System icon in Control Panel,
and then click the Performance tab.
-------------------------
---------------------------------------------------------------
Tell me if this helps. I'm sure there's a way to get around this.
I'm markinmg this answered, this will lock you to me. if that is not to your liking, feel free to re-ject.

0
 
LVL 1

Author Comment

by:dragonlord
ID: 1748753
That's pretty much what we're seeing, but, not in all places at all times.  It's very strange.  Thanks for the kb article.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 14

Expert Comment

by:smeebud
ID: 1748754
Are things different now than they where?
Is it fixed?
0
 
LVL 1

Author Comment

by:dragonlord
ID: 1748755
It doesn't seem to have cropped up in any place except my testing facility.  Very strange. The problem comes from the fact that we're letting windows 95 blow away a bootware ram disk(this is the image that we boot our machines from).  If we do it any other way, the a: drive stops working under windows 95. So, I guess it's a non-problem.  Thanks alot for everyones help and answers.
0
 
LVL 14

Accepted Solution

by:
smeebud earned 50 total points
ID: 1748756
Go to:
http://www.microsoft.com/kb/default.asp
at step 1 choose windows 95
at step 5 type MBR.
You'll find some enlightening articles.
0
 
LVL 14

Expert Comment

by:smeebud
ID: 1748757
Please let me know what method worked for you.
Thanks.
0
 
LVL 1

Author Comment

by:dragonlord
ID: 1748758
After I noticed this error message in my test lab, I sent
students out to see if it was showing up in our production
labs.  In most cases, it wasn't.  In the few labs where we
did see this problem, all we had to do was ignor the message,
do a shift restart and then use _that_ registry for our clean
version of the registry.  Thanks for everyones help.  TTFN.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

This is an article about Leadership and accepting and adapting to new challenges. It focuses mostly on upgrading to Windows 10.
NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now