SnaxNZ
asked on
Removal of Boot Sector Virus from Win XP Pro (SP2)
Hi all,
My WinXP Pro SP2 installation has become infected with a boot sector virus during the data transfer from another infected drive (unknown to me) to my external USB drive.
What is the best way to repair the MBR?
Is there a tool and/or bootdisks to download or should I use my WinXP Pro CD and work through certain steps?
Note: I have tried booting to the recovery console and typing FIXMBR at the C:\ to no avail. Is there a certain directory I should run it in (perhaps I'll try the C:\Windows directory next) or maybe another command to try.
In the recovery console (at least I think that it's the Recovery Console aka DOS prompt?) I can see all of my folders and browse okay, so repairing the MBR is a much more attractive option than trying a backup onto another computer and risking inecting that one too.
On another uninfected computer (WinXP) I installed NAV2004 in the hope of creating rescue boot disks to repair the MBR, although it looks as though I need a Win9x installation to create the disks from. I'm not even sure that I can sucessfully boot my WinXP box from rescue disks created on a Win9x box anyway - Symantec's site is a little vague.
Thanks in advance.
Cheers,
Snax
My WinXP Pro SP2 installation has become infected with a boot sector virus during the data transfer from another infected drive (unknown to me) to my external USB drive.
What is the best way to repair the MBR?
Is there a tool and/or bootdisks to download or should I use my WinXP Pro CD and work through certain steps?
Note: I have tried booting to the recovery console and typing FIXMBR at the C:\ to no avail. Is there a certain directory I should run it in (perhaps I'll try the C:\Windows directory next) or maybe another command to try.
In the recovery console (at least I think that it's the Recovery Console aka DOS prompt?) I can see all of my folders and browse okay, so repairing the MBR is a much more attractive option than trying a backup onto another computer and risking inecting that one too.
On another uninfected computer (WinXP) I installed NAV2004 in the hope of creating rescue boot disks to repair the MBR, although it looks as though I need a Win9x installation to create the disks from. I'm not even sure that I can sucessfully boot my WinXP box from rescue disks created on a Win9x box anyway - Symantec's site is a little vague.
Thanks in advance.
Cheers,
Snax
ASKER
Hi Alimu, thanks for the quick response.
I struggled to find a floppy based scanner to clean the MBR, but attempted a scan from the NAV2004 CD and it returned that no viruses were found in the MBR.
Since then I have booted into the XP recovery console typed "map" to get my primary drive and then typed FIXMBR \Device\Harddisk0\Partitio
It appeared to work just fine but now the drive still doesn't boot and my C:\Windows directory is no longer listed in the recovery console to be selected!! When I type DIR at the C:\ prompt I get "An error occurred during directory enumeration".
Sounds really good to me!!
What are my options now? Note: I now really only want the information off it for starters.
Can the drive be installed as a slave in another computer (with Virus Protection) and the information still retrieved? Would it be best to connect it to an external drive and connect it to another PC via USB?
Thanks in advance. If I had more points to offer I would.
Cheers,
Snax
I struggled to find a floppy based scanner to clean the MBR, but attempted a scan from the NAV2004 CD and it returned that no viruses were found in the MBR.
Since then I have booted into the XP recovery console typed "map" to get my primary drive and then typed FIXMBR \Device\Harddisk0\Partitio
It appeared to work just fine but now the drive still doesn't boot and my C:\Windows directory is no longer listed in the recovery console to be selected!! When I type DIR at the C:\ prompt I get "An error occurred during directory enumeration".
Sounds really good to me!!
What are my options now? Note: I now really only want the information off it for starters.
Can the drive be installed as a slave in another computer (with Virus Protection) and the information still retrieved? Would it be best to connect it to an external drive and connect it to another PC via USB?
Thanks in advance. If I had more points to offer I would.
Cheers,
Snax
don't know if using it as a slave will work if the mbr is still sick but worth giving it a go.
external vs internal disk will make no difference that I know of - if the disk is being accessed by the connected system the risk is the same. Internal would let you get the data off quicker.
If slaving it doesn't work,
Take a look at SirBounty's first post in http:Q_20991336.html (the rest's about HDD controller issues so probably doesn't apply) regarding FIXBOOT
also try from recovery console:
CHKDSK /R
If none of these have worked you might need to look at some professional data recovery utilities (but we'll see how you go first).
external vs internal disk will make no difference that I know of - if the disk is being accessed by the connected system the risk is the same. Internal would let you get the data off quicker.
If slaving it doesn't work,
Take a look at SirBounty's first post in http:Q_20991336.html (the rest's about HDD controller issues so probably doesn't apply) regarding FIXBOOT
also try from recovery console:
CHKDSK /R
If none of these have worked you might need to look at some professional data recovery utilities (but we'll see how you go first).
oops forgot to say - try running the recovery console by booting from your xp cd and use utilities from there.
would also recommend getting this question shifted to the windows xp area - you might get more ideas on a fix there.
Post 0 point question linking to this one at https://www.experts-exchange.com/Community_Support/ to ask for the shift.
Post 0 point question linking to this one at https://www.experts-exchange.com/Community_Support/ to ask for the shift.
ASKER
Thanks Alimu,
I have submitted that request.
I'm a little worried to try any additional commands in the recovery console as FIXMBR (which was recommended on another question/comment) seemed to make things worse, as since running FIXMBR I can no longer see the 1: C:\Windows option or view my files and folders via the recovery console. Comments?
Could CHKDSK /R and/or BOOTCFG /Rebuild cause further complications that cannot be undone too?
Also, I am a little confused as to what the MBR actually is. I initially thought it was a portion of the hard disk that stored boot and partition information, although I tried installing WinXP on a brand new hard disk drive on the same system and after creating the partition, copying the system files etc. it couldn't detect that new drive either. Is it a combination of the disk and motherboard?
BTW, my system specs are WinXPP (SP2), ASUS A7V333 Mobo, 2x WD400 HDDs, 2x Kingmax 256MB 2700DDR and 1x Kingston 512MB 3200(?) DDR, a couple of ASUS Optical drives, a Triplex Ti4200 Video, 2x McChickens and a Chocolate Sunday.
Recently, I tried connecting the original problem Hard Disk to an external USB case and connected that to an entirely different PC with WinXP installed. The drive comes up under My Computer (as a Local Disk not a Removable Disk) although it says "The disk is not currrently formatted" (obviously I clicked NO). Here I was hoping that I could browse my files/folders and at least back them all up to a working computer (which I am typing on right now)... no such luck.
I appreciate your comments and suggestions alimu, and look forward to further replies from you and others.
Thanks again,
Snax
I have submitted that request.
I'm a little worried to try any additional commands in the recovery console as FIXMBR (which was recommended on another question/comment) seemed to make things worse, as since running FIXMBR I can no longer see the 1: C:\Windows option or view my files and folders via the recovery console. Comments?
Could CHKDSK /R and/or BOOTCFG /Rebuild cause further complications that cannot be undone too?
Also, I am a little confused as to what the MBR actually is. I initially thought it was a portion of the hard disk that stored boot and partition information, although I tried installing WinXP on a brand new hard disk drive on the same system and after creating the partition, copying the system files etc. it couldn't detect that new drive either. Is it a combination of the disk and motherboard?
BTW, my system specs are WinXPP (SP2), ASUS A7V333 Mobo, 2x WD400 HDDs, 2x Kingmax 256MB 2700DDR and 1x Kingston 512MB 3200(?) DDR, a couple of ASUS Optical drives, a Triplex Ti4200 Video, 2x McChickens and a Chocolate Sunday.
Recently, I tried connecting the original problem Hard Disk to an external USB case and connected that to an entirely different PC with WinXP installed. The drive comes up under My Computer (as a Local Disk not a Removable Disk) although it says "The disk is not currrently formatted" (obviously I clicked NO). Here I was hoping that I could browse my files/folders and at least back them all up to a working computer (which I am typing on right now)... no such luck.
I appreciate your comments and suggestions alimu, and look forward to further replies from you and others.
Thanks again,
Snax
ASKER
Hello again,
I have my original Master aside until I am able to fix the MBR, or recover the data somehow - any recommendations on recovery proggies? Note: There was one I used a while back that worked a treat on an old Bigfoot drive filled to the brim which wasn't reading as a slave under Windows. I can't remember what the program was called but you could download a trial that would at least show you what could be recovered, then for US$70 (I think) the product would be fully functional for one year, or maybe 6 months.
Right now I am trying to at least get my computer up and running with the brand new HDD I mentioned above. The new HDD still isn't detected at POST, even after successfully updating the BIOS to A7V333 BIOS 1017 (ASUS). I can boot from the WinXP Pro CD and initiate the installation, partitions are formatted and setup files are copied, but after the restart when the Graphical setup should begin the drive still isn't detected at POST, so it boots from CD again and kicks into the setup once more.
Would clearing the CMOS help at all? The original drive I was trying to back up had exactly the same problem, with it's primary drive not being detected and a message to "Insert System Disk" being displayed. It seems that during my original backup (before _my_ Primary disk developed the same problem) from the trouble drive to my external USB, a virus, or other, was run. I have no idea how because the folders I was copying across were distinctive names in the C:\ (root) such as "Bobs Docs" and "Music", and I was bypassing my primary disk entirely AFAIK. Whatever it was seems to have targeted my Primary IDE controller (guess?), as the Optical Drives on the Secondary channel, FDD, RAM, etc. are picked up no probs at POST. I haven't yet tried connecting the brand new HDD to the Secondary IDE to see if it is detected. I don't really think that it would help matters at all.
Thanks again, all suggestions are greatly appreciated.
I have my original Master aside until I am able to fix the MBR, or recover the data somehow - any recommendations on recovery proggies? Note: There was one I used a while back that worked a treat on an old Bigfoot drive filled to the brim which wasn't reading as a slave under Windows. I can't remember what the program was called but you could download a trial that would at least show you what could be recovered, then for US$70 (I think) the product would be fully functional for one year, or maybe 6 months.
Right now I am trying to at least get my computer up and running with the brand new HDD I mentioned above. The new HDD still isn't detected at POST, even after successfully updating the BIOS to A7V333 BIOS 1017 (ASUS). I can boot from the WinXP Pro CD and initiate the installation, partitions are formatted and setup files are copied, but after the restart when the Graphical setup should begin the drive still isn't detected at POST, so it boots from CD again and kicks into the setup once more.
Would clearing the CMOS help at all? The original drive I was trying to back up had exactly the same problem, with it's primary drive not being detected and a message to "Insert System Disk" being displayed. It seems that during my original backup (before _my_ Primary disk developed the same problem) from the trouble drive to my external USB, a virus, or other, was run. I have no idea how because the folders I was copying across were distinctive names in the C:\ (root) such as "Bobs Docs" and "Music", and I was bypassing my primary disk entirely AFAIK. Whatever it was seems to have targeted my Primary IDE controller (guess?), as the Optical Drives on the Secondary channel, FDD, RAM, etc. are picked up no probs at POST. I haven't yet tried connecting the brand new HDD to the Secondary IDE to see if it is detected. I don't really think that it would help matters at all.
Thanks again, all suggestions are greatly appreciated.
the chkdsk will scan your hard disk and check for corruption. The /r switch locates bad sectors and recovers readable information (it will probably take a while to run).
bootcfg /rebuild will search your disk for operating systems and tell you where they are. See http://support.microsoft.com/default.aspx?scid=kb;en-us;307061&Product=winxp for further information.
new disk: check your jumper pins are set correctly and the disk isn't setup as a slave. Can you hear hard drive spin up when you boot? Are cables seated correctly?
cmos? don't know if clearing it will help or trigger other issues. What virus did you have?
bootcfg /rebuild will search your disk for operating systems and tell you where they are. See http://support.microsoft.com/default.aspx?scid=kb;en-us;307061&Product=winxp for further information.
new disk: check your jumper pins are set correctly and the disk isn't setup as a slave. Can you hear hard drive spin up when you boot? Are cables seated correctly?
cmos? don't know if clearing it will help or trigger other issues. What virus did you have?
ASKER
Well, this seems to be turing into more like "Snax's Troubleshooting Diary" than a Q 'n A page!
Finally some good news:
I resolved the "new" HDD problem, jumpers were set to "Master with Slave Present" instead of "Master or Single Drive" - n00blar mistake I know. I now currently have WinXP Pro installing on that drive, and once all Win Updates (except SP2) and NAV with all updates are installed I'll look at connecting my original Slave to that ribbon (alter the jumpers accordingly of course) and see if it boots seeing both drives - fingers crossed that this is the problem. If it doesn't then something is wrong with the second IDE connector on that ribbon, which would explain why no drives were being detected at POST as the original Master would've still been set to "Master with Slave Present". If it does boot then something might be wrong with the third drive and/or connector that I was originally trying to backup. I am hoping that this isn't the case as there is still plenty of data to be transferred.
Still, I will need to get the MBR on my original Master either working, or will need a good data recovery tool to restore the data. Suggestions/recommendation
TIA,
Snax
Finally some good news:
I resolved the "new" HDD problem, jumpers were set to "Master with Slave Present" instead of "Master or Single Drive" - n00blar mistake I know. I now currently have WinXP Pro installing on that drive, and once all Win Updates (except SP2) and NAV with all updates are installed I'll look at connecting my original Slave to that ribbon (alter the jumpers accordingly of course) and see if it boots seeing both drives - fingers crossed that this is the problem. If it doesn't then something is wrong with the second IDE connector on that ribbon, which would explain why no drives were being detected at POST as the original Master would've still been set to "Master with Slave Present". If it does boot then something might be wrong with the third drive and/or connector that I was originally trying to backup. I am hoping that this isn't the case as there is still plenty of data to be transferred.
Still, I will need to get the MBR on my original Master either working, or will need a good data recovery tool to restore the data. Suggestions/recommendation
TIA,
Snax
ASKER
Alimu,
Thanks again! You are right about the jumpers as mentioned above - although fortunately (for my sake) I worked that one out.
When I scanned the original drive using a NAV 2004 CD it came up with no virii in the MBR, so I was little premature with the title of this Question and have no doubt lead you astray somewhat. My reason for thinking it was a virus was because half-way through the data transfer I got errors, and after a restart my computer behaved the same way as the other re bootup and POST problems. As you can tell, I haven't experienced anything like this and thought the symptoms looked virus-like, when it may have been as simple as the ribbon connector failing of that of the third drive I was backing up.
Note: I'm tempted to hit that "Accept" button on your response above now, although I don't have enough points to start a new Question with my resulting problem from all of this troubleshooting!
Cheers
Thanks again! You are right about the jumpers as mentioned above - although fortunately (for my sake) I worked that one out.
When I scanned the original drive using a NAV 2004 CD it came up with no virii in the MBR, so I was little premature with the title of this Question and have no doubt lead you astray somewhat. My reason for thinking it was a virus was because half-way through the data transfer I got errors, and after a restart my computer behaved the same way as the other re bootup and POST problems. As you can tell, I haven't experienced anything like this and thought the symptoms looked virus-like, when it may have been as simple as the ribbon connector failing of that of the third drive I was backing up.
Note: I'm tempted to hit that "Accept" button on your response above now, although I don't have enough points to start a new Question with my resulting problem from all of this troubleshooting!
Cheers
ASKER
Alimu,
Is there any chance of chkdsk and bootcfg getting me into further problems such as data loss? Should I use a data recovery tool first or should I be able to confidently run those commands at the recovery console?
Thanks again.
Is there any chance of chkdsk and bootcfg getting me into further problems such as data loss? Should I use a data recovery tool first or should I be able to confidently run those commands at the recovery console?
Thanks again.
it's a long shot but anything's possible so I can't give you a guarantee it'll be fine. If you have a data recovery tool it may be best to try it first. If it doesn't work, run the chkdsk command and then try again.
Chkdsk looks for bad sectors and tries to move data out of any it finds... it's intended to make a corrupted disk readable and attempt to recover data that was in previously "unreadable" locations.
bootcfg just looks for operating systems to setup a corrupted boot.ini file (descriptions of what disk, volume, partition contains your operating system).
Chkdsk looks for bad sectors and tries to move data out of any it finds... it's intended to make a corrupted disk readable and attempt to recover data that was in previously "unreadable" locations.
bootcfg just looks for operating systems to setup a corrupted boot.ini file (descriptions of what disk, volume, partition contains your operating system).
If you can get the disk visible in the new version of xp, you may need to reset ownership and security on the drive to access data. See http:Q_20540307.html
What's the status - is the sick drive spinning up, detected by bios, showing up in windows at all?
What's the status - is the sick drive spinning up, detected by bios, showing up in windows at all?
ASKER
When I type chkdsk or chkdsk /r at the recovery console it returns "The volume appears to contain one or more unrecoverable problems."
Bootcfg /rebuild fails due to a "corrupt file system", and suggests to run chkdsk to resolve.
I'm thinking that it would be a different story if I had never run fixmbr.
What else should I try? If a data recovery tool is needed what would you recommend?
Thanks for your time.
Bootcfg /rebuild fails due to a "corrupt file system", and suggests to run chkdsk to resolve.
I'm thinking that it would be a different story if I had never run fixmbr.
What else should I try? If a data recovery tool is needed what would you recommend?
Thanks for your time.
ASKER
... oh, and before I ran chkdsk and bootcfg I only enabled the CD-RW drive under boot/startup options to force the computer to boot from the XP Pro CD.
Would it make any difference re-adding the HDD to that boot order? I'm guessing not, as the HDD is now being detected fine at POST, so the recovery console should be seeing it too.
Would it make any difference re-adding the HDD to that boot order? I'm guessing not, as the HDD is now being detected fine at POST, so the recovery console should be seeing it too.
no won't make any difference as long as the hdd is showing up in bios/post.
putting cd drive first just forces it to boot off cd instead of HD/other device.
putting cd drive first just forces it to boot off cd instead of HD/other device.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
is the dodgy drive currently mounted as a secondary (i.e. in the pc that you've just installed xp on)?
you could try starting up windows and running scandisk from there...
you could try starting up windows and running scandisk from there...
ASKER
Nah, I've got the drive sitting aside at the moment, so currently there is only a brand new WD40GB single HDD on the Primary IDE. Secondary IDE has 1x ASUS CD-RW and 1x ASUS DVD+/-RW.
I think that you're right on the money with OnTrack - that rings a bell big time. I'm just working through the Windows and NAV Updates now, then I'll get OnTrack EasyRecovery DataRecovery Trial installed and then connect the dodgy drive as a slave.
I am a bit worried running ScanDisk in case it makes otherwise readable date unreadable. I have run into that problem in the past, although then it was DOS ScanDisk on a Win98 PC, so perhaps XPs is more reliable.
It's a shame you're in the US and not in NZ (AFAIK from the time of your posts) because the least I could do would be to buy you a beer or two for all this time and help you've given me.
The best I can do from down here is use up the remainder of my available points for you. ;P
Cheers,
Snax
I think that you're right on the money with OnTrack - that rings a bell big time. I'm just working through the Windows and NAV Updates now, then I'll get OnTrack EasyRecovery DataRecovery Trial installed and then connect the dodgy drive as a slave.
I am a bit worried running ScanDisk in case it makes otherwise readable date unreadable. I have run into that problem in the past, although then it was DOS ScanDisk on a Win98 PC, so perhaps XPs is more reliable.
It's a shame you're in the US and not in NZ (AFAIK from the time of your posts) because the least I could do would be to buy you a beer or two for all this time and help you've given me.
The best I can do from down here is use up the remainder of my available points for you. ;P
Cheers,
Snax
I'm in Brisbane actually - was in Queenstown about 3 weeks ago displaying my skiing prowess (or complete lack thereof) - a couple of Speights wouldn't go astray :) (can't say I deserve them though since I didn't really solve your problem for you).
There's another command called fixboot that has been suggested here and there but I havent been able to find anything that categorically states it won't make your data inaccessible to the average Joe.
At a guess I'd say your hard drive's on it's way out. You can confirm by grabbing the hard disk diagnostic tool from the hardware vendor, they're usually available on the internet. All i can suggest is that if by some miracle you manage to get the files viewable, get them off the drive as fast as possible.
There's another command called fixboot that has been suggested here and there but I havent been able to find anything that categorically states it won't make your data inaccessible to the average Joe.
At a guess I'd say your hard drive's on it's way out. You can confirm by grabbing the hard disk diagnostic tool from the hardware vendor, they're usually available on the internet. All i can suggest is that if by some miracle you manage to get the files viewable, get them off the drive as fast as possible.
oops - just realised I mentioned fixboot ages ago (it's been a long question - sorry) - SirBounty's posts are usually pretty spot on though.
ASKER
Brisie eh?
How's the weather treating you? It's pretty muggy here in Auckland ATM but probably several degrees cooler. Yeah I'm a big Speights fan myself, worked my way through a few doz last weekend (long weekend in NZ) so I'm going to take it easy this weekend... probably working through this a little more, and bringing back the backups that I do have.
I'm hopeful that the HDD isn't on it's way out. It was fully readable in the recovery console before the FIXMBR command, when I could actually select 1: C:\Windows and run a few DOS commands to change directory and view contents of each. As soon as I ran "FIXMBR \Device\Harddisk0\Partitio
The EasyRecovery download is around 67% complete (@ 256Kbps) so you'll hear from me again shortly.
How's the weather treating you? It's pretty muggy here in Auckland ATM but probably several degrees cooler. Yeah I'm a big Speights fan myself, worked my way through a few doz last weekend (long weekend in NZ) so I'm going to take it easy this weekend... probably working through this a little more, and bringing back the backups that I do have.
I'm hopeful that the HDD isn't on it's way out. It was fully readable in the recovery console before the FIXMBR command, when I could actually select 1: C:\Windows and run a few DOS commands to change directory and view contents of each. As soon as I ran "FIXMBR \Device\Harddisk0\Partitio
The EasyRecovery download is around 67% complete (@ 256Kbps) so you'll hear from me again shortly.
hot, muggy, stuck in a building while it's perfect weather for outdoors (thankfully it's friday).
If the drive's ok, you could also try repairing /reinstalling xp. doubt it'd work though unless running FIXMBR folowed by FIXBOOT lets you see your file system.
More on Repairing XP: http:Q_21014636.html#11240778
More recovery tools: http:Q_20649105.html#8729544
Let me know how you get on.
If the drive's ok, you could also try repairing /reinstalling xp. doubt it'd work though unless running FIXMBR folowed by FIXBOOT lets you see your file system.
More on Repairing XP: http:Q_21014636.html#11240778
More recovery tools: http:Q_20649105.html#8729544
Let me know how you get on.
ASKER
Hey Alimu,
I'm transferring the recovered data as I type! The version of EasyRecovery (Standard) that I needed ended up costing US$199, which is small in the scheme of things, as I'm currently copying 16GB+ across. If the recovery proggie had returned negative with the trial I'm sure I would have been willing to pay much more than that for it to work.
Cheers for all your help along the way and especially pointing me in the direction of EasyRecovery, I appreciate it.
See you 'round!
I'm transferring the recovered data as I type! The version of EasyRecovery (Standard) that I needed ended up costing US$199, which is small in the scheme of things, as I'm currently copying 16GB+ across. If the recovery proggie had returned negative with the trial I'm sure I would have been willing to pay much more than that for it to work.
Cheers for all your help along the way and especially pointing me in the direction of EasyRecovery, I appreciate it.
See you 'round!
yay!!!! if that data's important it's worth every penny.
have a good (computer free) weekend!
have a good (computer free) weekend!
Have you run a floppy disk based virus scan to clean the master boot record? (i.e. to let you do the scan before the machine boots into windows). If not you should do this first.