Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Stealthboot virus on MBR of disk 0

Posted on 2009-04-04
4
Medium Priority
?
948 Views
Last Modified: 2012-05-06
I mistakenly rebooted my Windows XP Pro SP3 system with a floppy diskette in the drive that was infected by a stealth boot virus according to McAfee.  I got a message to install a bootable diskette, but by that time the damage was done.  The system boots fine but I keep getting error messages from McAfee Enterprise 8.51 Antivirus telling me certain files are infected with Stealthboot virus under Name "MBR of Disk 0".  If I check any of those files McAfee tells me they are infected.  But when I took the hard drive out of the system and hooked it up as an external drive using a USB cable setup on another system and rechecked those files with McAfee on that system, it reports they are clean.  Nevertheless, I replaced the suspect files from an known clean system with the same files in the same versions.

My question is how can I remove the stealthboot virus from the master boot record of the  hard drive without loosing all the data on the drive or having to reinstall from scratch?

Can I reinstall the drive back in the system and boot from an Windows 98 bootable floppy then run Fdisk / MBR to rebuild the master boot record and preserve that drive data?

Thanks for your help.
0
Comment
Question by:StevePimer
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 4

Expert Comment

by:blissbear
ID: 24069934
Boot from the windows XP CD, press the "R" key in the setup in order to start the recovery console. Select your windows XP installation from the list, and enter the administrator password.
Enter the command: "fixmbr" (without the quotes) at the command prompt and confirm the next question with a "Y" (without the quotes). Use exit to restart the computer.
0
 

Author Comment

by:StevePimer
ID: 24069952
Thank you for the quick response.  Right now I am scanning the entire drive in question hooked up as an external hard drive via USB connection on a known good system.  At this point no issues have surfaced and I am about 90% done the scan.  The scan should end in about 10 minutes.  I assume it will be clean since I think the files that McAfee indicates are infected are false positives created by the possible MBR issue.

As soon as this completes I will follow your instructions and advise you of the outcome.

Just for the record, would my Windows 98 floppy diskette solution have worked also?
0
 
LVL 4

Accepted Solution

by:
blissbear earned 2000 total points
ID: 24069984
I'm not certain if the XP and 98 mbr bootstrap code are identical or even compatible.  You could give it a shot, but I'd play it safe with the XP bootdisk :)
0
 

Author Closing Comment

by:StevePimer
ID: 31566691
The full scan of the entire hard drive as an external came up clean.  I reinstalled the drive, started the system with the Windows XP Pro CD and booted to recovery console as you suggested.  I then fan fixmbr.  It advised me that the boot sector was non-standard and attempting to fix it may leave all partitions unaccessible.  I figured I had nothing to loose at that point, expecially since I had a recent Acronis TrueImage backup of the drive and could restore it if necessary, so I proceeded.  It told me that the Master boot record had been rebuilt sucessfully.  I the removed the CD and rebooted and the system came up perfectly.  I then double checked the suspected infected files from the McAfee printout and they all came up clean.

Thank you for all your help.  I have been a computer consultant for 30 plus years and you still learn something new everyday.

Once again, thanks.

Steve
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes people don't understand why download speed shows differently for Windows than Linux.Specially, this article covers and shows the solution for throughput difference for Windows than a Linux machine. For this, I arranged a test scenario.I…
When you upgrade from Windows 8 to 8.1 or to Windows 10 or if you are like me you are on the Insider Program you may find yourself with many 450MB recovery partitions.  With a traditional disk that may not be a problem but with relatively smaller SS…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question