• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 372
  • Last Modified:

Hard Drive & Virus

Gee, I barely can believe this, tell me it is not true.

Is it possible that a virus produces the same problem on two computers on a network or is it just a coincidence and it is not a virus but just bad luck that the C drive is damaged and has to be replaced.

In device Manager:

The CD-Rom is not shown
The Hard Drive is not shown
Primary and Secondary IDE Controller has a Exclamation mark.

The first PC by changing the hard drive only fixed everything, now I have a second PC with the same problem.
BUT all of these CD-Rom, hard drive is recognized in the BIOS.

What produces this problem?

If it is a virus (and I've tried detecting with a virus program on some other machines but not all, with no negative result) can it reproduce itself on my other machines within the network or even outside my network via my friends?

1 Solution
It sure seems unlikely that two DIFFERENT machines would experience the SAME problem at the SAME time due to hardware failure.  The odds are just way against that.

It sure could be a virus that attacks your IDE controller driver or BIOS settings.

I think it unlikely that it could have cause any sort of permanent damage.
Kyle SchroederEndpoint EngineerCommented:
This can happen if you have a virus that infects the MBR, but probably not the case since you did a virus scan (you did do it from a bootable floppy disk, right?  Some virii can't be detected from Windows).

In Safe Mode, click Start, choose Run, then type regedit and press enter.Browse to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\IOS
In the right pane, there may be a line that says "NOIDE".  Select this value (right click) and delete it.
Restart and see if it works.
If not, boot to Safe Mode and see if you can remove all devices under "Hard Drive Controllers".  Try removing the "PCI IDE Controller (dual FIFO)" or whatever it shows there first, then the "Primary/Secondary IDE Channels" after that.  If that doesn't work, or you get errors that you can't remove the parent controller, you will need to remove the Primary/Secondary IDE controllers manually
through the Registry in Safe Mode to fix this.

Now close RegEdit and restart.  If the controllers still show (!), then we'll need to go back to RegEdit
and make some more changes (in Safe Mode again).  Browse to HKEY_Local_Machine\ENUM\PCI.  Now you will
need to look through the various keys under this until you find (in the right side pane) one that includes
"PCI IDE".  There will actually be a couple of these; you'll want to delete the parent folder (the one
directly beneath the PCI folder in the tree-view on the left).  Each subfolder will correspond to the
Primary and Secondary IDE Controllers that you see in Device Manager.

Once those are cleared, reboot and it should redetect the new IDE controller drivers just fine.  Most
likely, removing the NOIDE entry will fix this though, as this generally happens on Win95 -> Win98 upgrades.

RogerRabbitAuthor Commented:
Well Dogztar I've tried everything and I still have the same problem. I also need to tell you that on the first machine that had this problem, I tried reformating and it still had the same problem after.

What should I do, Pls help !
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

RogerRabbitAuthor Commented:
Also I forgot to say that at a certain point when I booted up in safe mode I got a microsoft window message saying that my master boot record could have a virus.


What do I do now ?
Are both of the PC's the same age and make.  I could be that you have a batch of faulty IDE controlers.  If you have installed a new hard drive and tryed to format it and it failts I would say that it is not a virus.

How old are the PC's and what make?

have you had a look on the web site of the company that make the motherboards also have you tryed calling there technical support.  It does sound like a hardware fault.
Kyle SchroederEndpoint EngineerCommented:
Boot from a known clean boot disk, then run FDISK and remove all partitions.  Close FDISK, (ESC), shut down, then reboot to the disk again, run FDISK again and recreate your partition(s).  Then close FDISK and run FDISK /MBR from a command line prompt.  Then shut down and reinstall Windows again.

Kyle SchroederEndpoint EngineerCommented:
Or actually, before you remove partitions, etc, just run the FDISK /MBR command from a clean boot disk, if you still get the error then the virus is still in there (somehow..this is highly unlikely) and then proceed with the above suggestion of wiping out all partitions.  If that STILL doesn't do it (somehow) then find out the vendor of the harddrive (IBM, Maxtor, Seagate, etc) and get their utility that will wipe the drive.  I think IBM's utility may work on any drive make, go to www.storage.ibm.com and look for the DFT (Drive Fitness Test).

Kyle SchroederEndpoint EngineerCommented:
From Microsoft KB article:
Built-In Anti-Virus Support in Windows 95 [Q143281]

Recognizing Master Boot Record (MBR) Modifications
Most viruses infect your computer by modifying the MBR and hooking the INT13h
chain. This allows the virus to monitor hard disk access and damage the data on
your hard disk. Windows 95 prevents this type of virus from damaging your data
by maintaining a list of the programs that are currently hooking the INT13h
chain. Each time you start your computer, Windows 95 checks to see which
programs are monitoring the INT13h chain, and then compares this list of
programs with the list that it recorded the last time Windows 95 started. If any
new programs that Windows 95 does not recognize have hooked the INT13h chain,
the following message is displayed:
   WARNING: Your computer may have a virus. The Master Boot Record on your
  computer has been modified. Would you like to see more information?
If you click Yes, the Performance tab in System Properties is displayed, which
provides more information and allows you to begin troubleshooting the problem.
This situation is most likely to occur when you start an operating system other
than Windows 95 using a bootable floppy disk. If the floppy disk is infected
with a virus, the virus will most likely modify the MBR on the hard disk and
hook the INT13h chain. When you remove the floppy disk and start your computer
normally, Windows 95 recognizes that the MBR has been modified and that the
INT13h chain has been hooked by an unknown program. The warning you receive
gives you an opportunity to remove the virus before it can damage your data.
When a virus modifies the MBR, the Performance tab in System properties and the
Ios.log file typically report that a file called Mbrint13.sys is causing drives
to be accessed in MS-DOS Compatibility mode. To access the Performance tab,
double-click the System icon in Control Panel, and then click the Performance
Identifying Unknown Device Drivers
Windows 95 maintains a list of all the real-mode device drivers that it can
safely replace with its own protected-mode drivers. If you add a new device
driver that hooks the INT13h or INT21h chain, and the driver is not on the list
of drivers that can safely be replaced, Windows 95 is forced to access drives
using MS-DOS Compatibility mode instead of protected mode. When this occurs, the
following message is displayed:
   A new MS-DOS resident program named '<filename>' may decrease your
  system performance. Would you like to see more information about this
where <filename> is the name of the new device driver. If you click Yes,
the Performance tab in System Properties is displayed, which typically
identifies the driver that is causing the problem and shows you how to remove
the driver from your computer.
This feature allows Windows 95 to identify those viruses that propagate from a
device driver instead of modifying the MBR. By identifying device drivers that
it does not recognize, Windows 95 gives you an opportunity to investigate the
situation and remove any viruses before they can damage your data.

RogerRabbitAuthor Commented:
Ok let me try this but before I get to the option where I remove the partition, will It delete files ?
RogerRabbitAuthor Commented:
Also one PC is a clown and the other is an IBM Pentium 400, the last is the one I,m having problems with.
Kyle SchroederEndpoint EngineerCommented:
Well, if you already reformatted it then I don't suppose there are any files anyway.  Try the FDISK /MBR first, that won't hurt your current Windows install.  Also the brand of PC doesn't matter (IBM or clone), virii aren't quite so choosy.

RogerRabbitAuthor Commented:
Well no, the drive that was replaced is on the clone and that fixed everything, now were talking IBM, so this drive has not been reformated guys.

I've tried the Fdisk/mbr and the Drive Fitness test and nothing came up as unusual, also tried the extended test & averything is ok.

I really appreciate your help guys, I really do.
Kyle SchroederEndpoint EngineerCommented:
Did you run the fdisk /mbr from a Windows boot disk that was made on a separate machine?  If you made the disk on the infected machine, it probably has a virus as well (on the floppy).

Have you tried the other registry edits I posted above to remove the IDE controller?

RogerRabbitAuthor Commented:
I had this boot disk for close to a year and it was made from the IBM machine but I also originally used it on the clone machine when I had troubles with it and yes I've tried all of the registry edits.

RogerRabbitAuthor Commented:
Well Dogztar, what I did was, I made a new Boot disk, we tried the fdisk/mbr, then went into safe mode, went back into the registry and deleted all you said and EVERYTHING is back up and running perfectly.

Thank you so much for your help guys !
Kyle SchroederEndpoint EngineerCommented:
Hmm...then I'd say you need to dump and recreate the partitions and format, then reinstall Windows....maybe someone else has another idea.

Kyle SchroederEndpoint EngineerCommented:
Ooop, I didn't see that 2nd update from this morning.  Glad its working for you now!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now