• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 954
  • Last Modified:

Stealthboot virus on MBR of disk 0

I mistakenly rebooted my Windows XP Pro SP3 system with a floppy diskette in the drive that was infected by a stealth boot virus according to McAfee.  I got a message to install a bootable diskette, but by that time the damage was done.  The system boots fine but I keep getting error messages from McAfee Enterprise 8.51 Antivirus telling me certain files are infected with Stealthboot virus under Name "MBR of Disk 0".  If I check any of those files McAfee tells me they are infected.  But when I took the hard drive out of the system and hooked it up as an external drive using a USB cable setup on another system and rechecked those files with McAfee on that system, it reports they are clean.  Nevertheless, I replaced the suspect files from an known clean system with the same files in the same versions.

My question is how can I remove the stealthboot virus from the master boot record of the  hard drive without loosing all the data on the drive or having to reinstall from scratch?

Can I reinstall the drive back in the system and boot from an Windows 98 bootable floppy then run Fdisk / MBR to rebuild the master boot record and preserve that drive data?

Thanks for your help.
0
StevePimer
Asked:
StevePimer
  • 2
  • 2
1 Solution
 
blissbearCommented:
Boot from the windows XP CD, press the "R" key in the setup in order to start the recovery console. Select your windows XP installation from the list, and enter the administrator password.
Enter the command: "fixmbr" (without the quotes) at the command prompt and confirm the next question with a "Y" (without the quotes). Use exit to restart the computer.
0
 
StevePimerAuthor Commented:
Thank you for the quick response.  Right now I am scanning the entire drive in question hooked up as an external hard drive via USB connection on a known good system.  At this point no issues have surfaced and I am about 90% done the scan.  The scan should end in about 10 minutes.  I assume it will be clean since I think the files that McAfee indicates are infected are false positives created by the possible MBR issue.

As soon as this completes I will follow your instructions and advise you of the outcome.

Just for the record, would my Windows 98 floppy diskette solution have worked also?
0
 
blissbearCommented:
I'm not certain if the XP and 98 mbr bootstrap code are identical or even compatible.  You could give it a shot, but I'd play it safe with the XP bootdisk :)
0
 
StevePimerAuthor Commented:
The full scan of the entire hard drive as an external came up clean.  I reinstalled the drive, started the system with the Windows XP Pro CD and booted to recovery console as you suggested.  I then fan fixmbr.  It advised me that the boot sector was non-standard and attempting to fix it may leave all partitions unaccessible.  I figured I had nothing to loose at that point, expecially since I had a recent Acronis TrueImage backup of the drive and could restore it if necessary, so I proceeded.  It told me that the Master boot record had been rebuilt sucessfully.  I the removed the CD and rebooted and the system came up perfectly.  I then double checked the suspected infected files from the McAfee printout and they all came up clean.

Thank you for all your help.  I have been a computer consultant for 30 plus years and you still learn something new everyday.

Once again, thanks.

Steve
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now