Virus on the MBR? Cannot restore winxp

Hi All,

I am struggling with geting my winxp back to normal. Have a look at a few threads I posted:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/XP/Q_23132660.html
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/XP/Q_23133052.html

The symptoms are very weird:

1) NOD32 and AVG cannot find any viruses (though i am suspecting some MBR virus)
2) running disc scan does not show any disk errors
3) the old installation of winxp cannot start with the message "ntoskrnl.exe missing or corrupt"
4) I tried replacing ntoskrnl.exe by four different ones (from the system recovery and MS updates) - it generates the same error

Finally, I am trying to install winxp to a different folder, but the 1st reboot during installation generates hal.dll is missing.

What is happening here? I can only suspect some MBR virus, but do not know how to find it.

Thank you - please give me some ideas.
A
andy7789Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

rpggamergirlCommented:
If it is infact an MBR virus or an MBR rootkit, then running the Recovery Console using the Fixmbr command is sthe only fix for it.

If you haven't got RC installed yet; check out the below link.
How to install and use the Recovery Console:
http://support.microsoft.com/kb/307654
0
andy7789Author Commented:
RC works just fine, but I am not sure if it is a good idea to use FIXMBR before deleting the virus - see what Microsoft says:

Warning This command can damage your partition tables if a virus is present or if a hardware problem exists. If you use this command, you may create inaccessible partitions. We recommend that you run antivirus software before you use this command."

http://support.microsoft.com/kb/314058

I have attached it as the second drive to another PC and trying to use different AV programs to get it. So far, not good - cannot find anything
0
rpggamergirlCommented:
If it's an MBR virus, then very likely that scanners can't detect it.
Most MBR viruses/rootkit does not need a file - code could exists in some sectors of the disk and it cannot be deleted as a usual file.
It already has control before OS starts.
It does not need any registry entry because it is loaded by MBR code  
To hide itself, it only needs to control few sectors of the disk.

AV programs won't be able to detect it, you'll have a slight chance of detecting it using a rootkit scanners (maybe)
Gmer might be able to detect an MBR rootkit if lucky.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

top_rungCommented:
Just curious, did you have some floppy disk in the drive that may have infected you with a bootsector virus or caused such the concern?  That is the most common method of transmission and while others definitely exist, they aren't as common place.   If it was just the NOD scan giving and error on the MBR, then I suspect permission issues also.  I am of the opinion that you can  scan for these viruses with any of the leading AV programs.  They can typically detect and repair these threats.  Both of what you have should also be able to handle it.   Did they every warn you of such a threat at any time?

Sorry to ask, but why haven't you wiped the partition/formatted (using a zerofill util), and gotten on with it?   Seems like a lot of time has been spent hunting it down.    I would slave the drive in an isolated system, and rip off as much data as you can and check it with various tools.  Then put it behind you.




0
scrathcyboyCommented:
try a repair install before you suspect a boot virus.  THe repair install from the CD will check the boot sector and make the right changes for you.  It is something you need to try before more drastic measures.
0
andy7789Author Commented:
Thank you guys! I have checked it as a slave drive with Trend Micro and NOD - nothing serious found. I am checking, if i can install a fresh winxp to a separate dir, if not - the best way would be to use FIXMBR

I hope, it will not corrupt partitions; in fact it should do the same with MBR as repair install.
0
top_rungCommented:
Yes, hopefully fixmbr doesn't make things more difficult for you.  Good luck.  Please post back your results.
0
andy7789Author Commented:
ok, I have run fixmbr and it looks as the partitions are in place. I guess, next I have to rebuild bootcfg, because fixmbr is writing the default installation (I am trying a dual boot).

I tried fresh installation of winxp (the 2nd directory) after running bootcfg and it does not reboot during installation (disk read/write error). I am a bit puzzled, because the disk is perfect, checked and accessed as a slave drive
0
andy7789Author Commented:
rebooting the systyem always returns disk read error.

What else can I do? the partitions are in place and I can access via the recovery disk...

Any ideas would be appreciated (before I give up and buy a new boot drive :))
0
top_rungCommented:
Well, if you are fixing to toss the drive, why not low format the drive and install a single instance to the default location ;)
0
andy7789Author Commented:
Because, the drive has a lot of info, installed programs etc. It would take me a few working days to reinstall everything.

Anyway, after running fixboot + fixmdr, rebooting always returns a disk read error occurred.....
0
nobusCommented:
i would test the disk, to be sure about it's status :   http://www.tacktech.com/display.cfm?ttid=287      
0
andy7789Author Commented:
it passes all tests - no errors. Something is wrong with boot sectors, but i have no more ideas what to try
0
nobusCommented:
if it is a bootsector virus, you need to zero out the whole disk, use the disk test soft i posted, or dban :
http://dban.sourceforge.net/      
0
Shanmuga SundaramDirector of Software EngineeringCommented:
a. Try booting using a recovery disk or cd and then run a virus check and find whether is there any virus in the MBR as you are afraid.  
b. If you had decided and made up your mind to reinstall the OS then backup needed files. Delete the partition and once again create a new partition and install.
Why work in two thoughts. But unless you are sure that you can do it succesfully, dont try. Best of luck.
0
andy7789Author Commented:
Thank you guys for help. Finally, after all attempts to recover MBR with fixboot + fixmdr (which always lead to disk read error), I have decided to get a new bigger hdd and use an old one as a secondary (kind of upgrade anyway). What puzzles me is that that secondary hdd does not show any errors or viruses whatsoever
0
scrathcyboyCommented:
that is prob. because it was not a boot sector virus after all, they are fairly rare.  As I said, a repair install should have solved the problem.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.