Way to prevent Boot Sector being Clobbered in Win XP

I have a customer whose boot sector got overwritten for the second time in two months.   Computer is a Dell Inspiron 530 desktop running XP SP3.  

Is there a way to back up the boot record?  Fixboot and Fixmbr did not work.  
I have the hard drive that wouldn't boot because of the overlay.
Is there a way to figure out what clobbered it?

 If I make her primary id a limited id might that prevent it from happening again?  That’s going on the assumption that it’s some program she’s running that’s doing this and without administrative privileges it couldn’t access that area of the hard drive.
Thanks,
Al
Alan SilvermanOwnerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JakeCampbellCommented:
Al, I recognize your name and this issue, did the Acronis MBR (Track 0) restore stop working?

Jake
0
Sujith_NairCommented:
Hi! there, first of all you need to ascertain it was not the deed of some Malware/Virus. chances are remote that any legitimate software/application would ever need to access & modify the Master Boot Record (MBR ,track 0).

If MBR was "clobbered" by some Malware, then merely restricting the user access right may not prevent the Malware from repeating the same. As we know Malwares/Viruses mostly are equipped to get around minor hurdles and restrictions.

The solution hence would be to install some trusted/reputed Antivirus/Internet Security software(Norton.Mcafee,Quickheal,Kaspersky...) and to keep them updated. Antivirus/Internet Security Software closely guard these crucial locations(MBR/Network ports, etc),  Only softwares in their white lists are allowed (if ever)  to access these crucial locations. they come in package hence you can rest assured in peace.

I hope this solves your problem, please provide more details if this was not a malware infection. Good luck.

0
acl-puzzCommented:
mostly boot sectors are damaged by malwares  if you have an very good internet security suite which is updated daily then there are less chances of boot sectors damages.

imaging of certain client machine which is having this problem continuously  with Ghost or acronis when it is in working condition is also an alternative
0
Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

nobusCommented:
how did you diagnose the bootsector was corrupt?  any error, or message?

and here the complete workout for NTLDR missing :
Boot using the Windows XP installation disk, press R. Then type the following commands:
note : you can test after each command

      FIXMBR
      FIXBOOT
      BOOTCFG /rebuild

      cd\
      copy E:\i386\NTLDR
      ATTRIB -arsh ntldr
      copy e:\i386\NTDETECT.COM
      ATTRIB -arsh ntdetect.com

E: should be the location of your CDRom where you have the Windows install disk located.
and check if those files are in the root :   NTLDR   boot.ini     ntdetect.com

Contents of the boot.ini file :
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect

check this too for more info :  http://tinyempire.com/notes/ntldrismissing.htm#What_if_none_of_the_options_worked?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
akahanCommented:
This might be of some help:

http://mbrwizard.com/

While it won't "protect" the boot record from being deleted or damaged, it allows you to back up your boot record (prior to clobberdisasters) to another medium, so you can easily restore it if it gets damaged.
0
Alan SilvermanOwnerAuthor Commented:
Jake,
I spoke too soon and closed that other problem too quickly.  Acronis said that it restored the sector but the symptoms just changed, it didn’t successfully boot.  I finally had my client bring the computer to me.  I restored it from a Acronis full backup and then restored her most recent documents from the original hard drive.

Sujith_Nair and acl-puzz,
This customer is using the full paid for Zone Alarm Suite.  I also put the paid for version of Malwarebytes on her computer.  This customer is very risk averse, if you understand about such customers.  My gut feel is that it wasn’t a virus or malware.

nobus,
The first symptom for this occurrence was a flashing cursor at boot.  I had her do a chkdsk /r then fixmbr that said it was successful, then fixboot, which got an error.  After that it was no luck.        

I’m troubled that restoring the mbr and boot record with Acronis didn’t work.  Akahan, I’ll try mbrwizard and hope it works.

Thanks for all your help,
Al
0
akahanCommented:
You mention that the customer is "risk averse," which makes me wonder if she's running a product called "Goback," (most recently offered by Symantec/Norton, I think)  which is the ultimate product for the risk averse.   While it's (in my opinion) a great product, it does muck with the boot record, and its mucking around can be conflicted with by other products that also insist on messing with the boot records, like Adobe paid-for products which, as part of their registration/copy protection scheme re-write the boot record.  If she is having repeated boot record problems and there's no possibility of a virus per Malwarebytes and other checkers, I'd be looking for a conflict between Adobe products and something else, like Goback, that needs its own modification to the boot record to "stick".

For info on what Adobe does to the boot record, search around for an article called something like, "Hey Adobe, leave my boot record alone".

0
Alan SilvermanOwnerAuthor Commented:
No Goback on the computer. I've seen quite a few problems with the product, including one bug where it kept computers from booting.  It also seems to use lots of resources and it didn't allow Acronis to do  full disk backups, which is my main defense against computer meltdowns.
Thanks again,
Al
0
Sujith_NairCommented:
alanlsilverman,
                     Well you have to closely research/find your customers software use pattern then, if it wasn't a virus, it ought to be some 3rd party software other than Operating System's Applications/Services for sure.There should be a software thats causing this havoc for sure, maybe its a trusted s/w hence not blocked by any Security SW.

moreover I am not a supporter of use of ZoneAlarm and Malwarebytes, these softwares have a very strong track record of false positives and inadequate detection/security!  Better go with some trusted old brands like Norton !

Its very hard to digest that one morning the PC's MBR gets corrupted without any external intervention...so it ought to be due to some action by the user, you have to find that and get rid of same to prevent any future pain!
Better take a backup!

Regards,
Sujith
0
akahanCommented:
Absolutely right that Goback is incompatible with Acronis and does hog some resources.  In case you have customers who, nevertheless, want to use Goback, it is fully compatible with Norton Ghost (in that Ghost can do a full, bootable image even with Goback running).

 
0
nobusCommented:
did you try the other 2 commands?
0
Alan SilvermanOwnerAuthor Commented:
nobus, I didn’t do all of the commands when I first began working on the problem. That  was before you commented on my post. I will use them if I ever see this again.

Akahan I’ve downloaded mbrwiz onto her computer and backed up the mbr to her secondary drive.  I hope this never hits again but if it does I’ll have that to try also.

Sujith,
In this case the customer had been using ZoneAlarm suite so I had her continue with it.  I added Malwarebytes because it’s been one of the few things that’s been able to handle recent malware and doesn’t use a great deal of system resources.  

About Norton, I’m curious what the others have to say. I stopped using Norton years ago because it slowed down customer’s systems and for awhile their Internet Security stopped people from accessing the Internet.  Their recent products may be better.  

When I set up computers from scratch I put on Avast free anti-virus, Zone Alarm free firewall, and pay for Malwarebytes.  That’s all I’ll pay for.  I also sometimes use Spybot and Adaware Anti-Malware, but they seem to be resource hogs. I’ve also started making their primary ids limited ids.  

If a customer can pay for it, I always set up secondary drives with two Acronis full drive backups once a week and two document backups, alternating daily.  That’s what this customer has.  I could have just restored a full backup but I didn't want to overwrite recent documents on her hard drive.

Best regards,
Al
0
nobusCommented:
tx for the feedback !
0
akahanCommented:
I wouldn't wish Norton on my worst enemy.  In my experience, it causes more problems than it prevents: slowdowns, and prevents users from doing legitimate things that they need to do.  Nothing hacks users off more than "security" programs that prevent them from getting their work done.

In my experience, Malwarebytes is probably the single best overall malware killer, though it seems to work much better when set up so that the user has to remember to periodically update and scan.  When Malwarebytes is set up to run all the time, protecting the machine on the fly (which only the paid version does), my experience is that it causes crashes, prevents normal shutdown, and is otherwise annoying.
0
Alan SilvermanOwnerAuthor Commented:
akahan,
I wish I knew that about Malwarebytes before I put it on my client's computers.  But it figures.  The free version works and you pay for the buggy one.

After seeing the newest versions of Antivirus 2010, I decided my clients needed a program to prevent malware from getting on in the first place. Spybot resident and the Adaware Anti-Malware seem to do it, but sometimes they suck up so much cpu it’s like they take over the computer.

Now I’m not even sure Malwarebytes prevents malware from getting on.  A customer of mine had the paid version and I also set him up with a limited id.  The other day malware popped up with fake warnings. I don’t know what the customer did or where surfed.  It also stopped by itself after a day or so.  I have no idea why. I suspect the automatic scan did it.  But it troubles me that with all the protection I put on he still saw it.  
I do my best.
Al
0
Sujith_NairCommented:
hi! all ...now here's what happens with the new breed of less known Anti virus suites. They are more likely to fail or allow an intrusion. I admit that any Anti Virus/Internet Security Suites(AVS) solution are resource hogging! & even may end up restricting even legitimate use but all i can say is these AVSuites are necessary evils! (atleast for common end users)

Now one needs to understand the working of these sw prior we tag them as resource hogging/evils ! and all.

In short any security software rely on the extensive and frequently updating definition database along with a good Artificial Intelligence (heuristic) to nail new and ever evolving intelligent malwares!

Keeping this fact in mind Norton / Mcafee / Kaspersky are the credible and trusted world players! Norton for that matter was one of  the first Antivirus ever for a MS system,before it was bought by Symantec. Still Symantec supplies and maintains most of the threat database to different agencies!

The latest editions of these, due to the peer competition is extremely light on resources!

I know this is an ever ending debate ! This is good to debate till we get stumped by a malware !
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows XP

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.