Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Stealthboot virus on MBR of disk 0

Posted on 2009-04-04
4
933 Views
Last Modified: 2012-05-06
I mistakenly rebooted my Windows XP Pro SP3 system with a floppy diskette in the drive that was infected by a stealth boot virus according to McAfee.  I got a message to install a bootable diskette, but by that time the damage was done.  The system boots fine but I keep getting error messages from McAfee Enterprise 8.51 Antivirus telling me certain files are infected with Stealthboot virus under Name "MBR of Disk 0".  If I check any of those files McAfee tells me they are infected.  But when I took the hard drive out of the system and hooked it up as an external drive using a USB cable setup on another system and rechecked those files with McAfee on that system, it reports they are clean.  Nevertheless, I replaced the suspect files from an known clean system with the same files in the same versions.

My question is how can I remove the stealthboot virus from the master boot record of the  hard drive without loosing all the data on the drive or having to reinstall from scratch?

Can I reinstall the drive back in the system and boot from an Windows 98 bootable floppy then run Fdisk / MBR to rebuild the master boot record and preserve that drive data?

Thanks for your help.
0
Comment
Question by:StevePimer
  • 2
  • 2
4 Comments
 
LVL 4

Expert Comment

by:blissbear
ID: 24069934
Boot from the windows XP CD, press the "R" key in the setup in order to start the recovery console. Select your windows XP installation from the list, and enter the administrator password.
Enter the command: "fixmbr" (without the quotes) at the command prompt and confirm the next question with a "Y" (without the quotes). Use exit to restart the computer.
0
 

Author Comment

by:StevePimer
ID: 24069952
Thank you for the quick response.  Right now I am scanning the entire drive in question hooked up as an external hard drive via USB connection on a known good system.  At this point no issues have surfaced and I am about 90% done the scan.  The scan should end in about 10 minutes.  I assume it will be clean since I think the files that McAfee indicates are infected are false positives created by the possible MBR issue.

As soon as this completes I will follow your instructions and advise you of the outcome.

Just for the record, would my Windows 98 floppy diskette solution have worked also?
0
 
LVL 4

Accepted Solution

by:
blissbear earned 500 total points
ID: 24069984
I'm not certain if the XP and 98 mbr bootstrap code are identical or even compatible.  You could give it a shot, but I'd play it safe with the XP bootdisk :)
0
 

Author Closing Comment

by:StevePimer
ID: 31566691
The full scan of the entire hard drive as an external came up clean.  I reinstalled the drive, started the system with the Windows XP Pro CD and booted to recovery console as you suggested.  I then fan fixmbr.  It advised me that the boot sector was non-standard and attempting to fix it may leave all partitions unaccessible.  I figured I had nothing to loose at that point, expecially since I had a recent Acronis TrueImage backup of the drive and could restore it if necessary, so I proceeded.  It told me that the Master boot record had been rebuilt sucessfully.  I the removed the CD and rebooted and the system came up perfectly.  I then double checked the suspected infected files from the McAfee printout and they all came up clean.

Thank you for all your help.  I have been a computer consultant for 30 plus years and you still learn something new everyday.

Once again, thanks.

Steve
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes people don't understand why download speed shows differently for Windows than Linux.Specially, this article covers and shows the solution for throughput difference for Windows than a Linux machine. For this, I arranged a test scenario.I…
INTRODUCTION The purpose of this document is to demonstrate the Installation and configuration of the Data Protection Manager product. Note that this demonstration was prepared on the basis of Windows OS is 2008 R2 and DPM 2010. DATA PROTECTI…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…

791 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question