Solved

Stealthboot virus on MBR of disk 0

Posted on 2009-04-04
4
926 Views
Last Modified: 2012-05-06
I mistakenly rebooted my Windows XP Pro SP3 system with a floppy diskette in the drive that was infected by a stealth boot virus according to McAfee.  I got a message to install a bootable diskette, but by that time the damage was done.  The system boots fine but I keep getting error messages from McAfee Enterprise 8.51 Antivirus telling me certain files are infected with Stealthboot virus under Name "MBR of Disk 0".  If I check any of those files McAfee tells me they are infected.  But when I took the hard drive out of the system and hooked it up as an external drive using a USB cable setup on another system and rechecked those files with McAfee on that system, it reports they are clean.  Nevertheless, I replaced the suspect files from an known clean system with the same files in the same versions.

My question is how can I remove the stealthboot virus from the master boot record of the  hard drive without loosing all the data on the drive or having to reinstall from scratch?

Can I reinstall the drive back in the system and boot from an Windows 98 bootable floppy then run Fdisk / MBR to rebuild the master boot record and preserve that drive data?

Thanks for your help.
0
Comment
Question by:StevePimer
  • 2
  • 2
4 Comments
 
LVL 4

Expert Comment

by:blissbear
ID: 24069934
Boot from the windows XP CD, press the "R" key in the setup in order to start the recovery console. Select your windows XP installation from the list, and enter the administrator password.
Enter the command: "fixmbr" (without the quotes) at the command prompt and confirm the next question with a "Y" (without the quotes). Use exit to restart the computer.
0
 

Author Comment

by:StevePimer
ID: 24069952
Thank you for the quick response.  Right now I am scanning the entire drive in question hooked up as an external hard drive via USB connection on a known good system.  At this point no issues have surfaced and I am about 90% done the scan.  The scan should end in about 10 minutes.  I assume it will be clean since I think the files that McAfee indicates are infected are false positives created by the possible MBR issue.

As soon as this completes I will follow your instructions and advise you of the outcome.

Just for the record, would my Windows 98 floppy diskette solution have worked also?
0
 
LVL 4

Accepted Solution

by:
blissbear earned 500 total points
ID: 24069984
I'm not certain if the XP and 98 mbr bootstrap code are identical or even compatible.  You could give it a shot, but I'd play it safe with the XP bootdisk :)
0
 

Author Closing Comment

by:StevePimer
ID: 31566691
The full scan of the entire hard drive as an external came up clean.  I reinstalled the drive, started the system with the Windows XP Pro CD and booted to recovery console as you suggested.  I then fan fixmbr.  It advised me that the boot sector was non-standard and attempting to fix it may leave all partitions unaccessible.  I figured I had nothing to loose at that point, expecially since I had a recent Acronis TrueImage backup of the drive and could restore it if necessary, so I proceeded.  It told me that the Master boot record had been rebuilt sucessfully.  I the removed the CD and rebooted and the system came up perfectly.  I then double checked the suspected infected files from the McAfee printout and they all came up clean.

Thank you for all your help.  I have been a computer consultant for 30 plus years and you still learn something new everyday.

Once again, thanks.

Steve
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Installing OS on Poweredge 2800 Raid 1 97 36
What is hoipcy.exe 11 24
SSAS,SSIS scaleout 3 33
Unable to RDP To cloned xenapp servers 4 87
We have adopted the strategy to use Computers in Student Labs as the bulletin boards. The same target can be achieved by using a Login Notice feature in Group policy but it’s not as attractive as graphical wallpapers with message which grabs the att…
The password reset disk is often mentioned as the best solution to deal with the lost Windows password problem. In Windows 2008, 7, Vista and XP, a password reset disk can be easily created. But besides Windows 7/Vista/XP, Windows Server 2008 and ot…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now