Link to home
Create AccountLog in
Avatar of kwburress
kwburress

asked on

possible MBR corruption, but now i no longer get MBR error after trying fixmbr/fixboot

i guess we need to first get all the questions out of the way. this is a friends pc, i dont know a whole lot about its history. its an XP home OS. they complained they could no long get on the internet, from all the spyware infections that it had. sounded like it disabled IE and probably had a few autostarts, disabled task manager. it may, or may not have been intentional, but it would not boot into safe mode, it would hang on the screen where it spams all the .sys and .dll files safe mode loads.... was hanging after mup.sys i believe.  

well that finally stopped, and it started giving a corrupt MBR message type error, and said "insert floppy disk to boot" message. this pc has no floppy drive, so i boot it with ERD, ran file compare, it found two files that were corrupt, i didnt write them down before i restarted, but it was doing the same thing with the MBR error.

i booted into recover console, tried fixmbr, restarted, then it started hanging when trying to boot to the HDD, restarted to recovery console again, tried fixboot, and i get the same thing...

ive tried a hand full of MBR tools, all of which have no effect.  

so right now, the pc boots, checks for whats in the cd/dvd tray, then tries to boot to HDD, and sits there........

so i dont know if ive made it worse or what. ERD will not mount the registry any longer either.
Avatar of pjam
pjam
Flag of United States of America image

Many malware/viruses rename exe file and cause this kind of corruption.  Internet explorer may stll be there but just renamed.
If you are positive that all the virus is gone then you should try Fred langas no format re-install of XP.  It will not destroy data or program instalss.  Complete directions can be found in the original Information week article at:
http://www.informationweek.com/news/windows/showArticle.jhtml?articleID=189400897

This will require the original install CD to boot from.  If you aren't sure that all the virus is gone then I would slave the drive to another computer to get the data off (this will probably let you know if there is still a virus lurking).  Then format and do a fresh install.  home is rather more delicate in these cases than pro and usually IMHO requires a format and fresh install.
Avatar of kwburress
kwburress

ASKER

well i do not think they have the original boot cd, this pc looks like it was built by someone else privately. i see an acronis image on the HDD, so i doubt they were given any OS disks.

the C drive is now not accessible, even in ERD.  

the virus has to still be there, because i was never able to get it up and running to do a scan on it. i could do an offline virus scan, but that wont fix the boot issues.
Do they have the Acronis Rescue CD and backups on an external drive?  If so try restoring that way.  Acronis is a great product if used correctly.
well no i have an acronis disk that i use, but i dont think you need it from a recovery partition, you just boot from it at startup with F11. i just wanted to try and keep all that they have currently (data) instead of loading some old image that i have no idea how old it is, cause it will overwrite all they have. i guess at least i have that as a failsafe.

i may have to end up doing it, cause right now the C drive cant have anything done to it, from it being inaccessible.

its gone from not booting to safe mode, to no mbr, to a non accessible system partition.
Avatar of johnb6767
MBRFix
http://www.sysint.no/nedlasting/mbrfix.htm

The fixmbr switch

Used this loaded on a UBCD4Win boot disc a few times.....

Last time I had to remove a TDSS Rootkit, I actually tanked the partition table altogether using this (wasnt paying attention), but rebuilt it using EaseUS Partition Recovery.... Lot of extra steps, but I got it rebuilt.....
Might actually want to look at the Partition Recovery, to see if they are gone.....

EASEUS Partition Recovery 5.0.1
http://www.easeus.com/partition-recovery/
Try Knoppix http://www.knoppix.org/

It is a Live Linux CD.  You can use TestDisk on it to look at the MBR and partition table.  It can even rebuild the partition table.

Warning!  Take great care using it.

Also see TestDisk http://www.cgsecurity.org/wiki/TestDisk

Tutorial http://www.cgsecurity.org/wiki/TestDisk_Step_By_Step
im following the TestDisk instructions, and after the QuickSearch step, its giving me a screen saying

Warning: the current number of heads per cylinder is 240, but the correct value may be 255.

you can use the Geometry nenu to change this value.

what should i do, leave it? or change it?

prior to this screen, it listed the partition twice, saying "invalid partition boot"

not sure whats needed next, never used this proc before.
Leave it at this stage and continue.
Geometry menu here http://www.cgsecurity.org/wiki/Menu_Geometry

No joy then restart and change the head geometry to 255 and see how the analyis goes.
i continued, and now i get the old "DISK BOOT FAILURE, INSERT SYSTEM DISK AND PRESS ENTER" error.

should i still go back and change the scan geometry to 255 and try again?
Try the scan geometry of 255 and try again.

You haven't saved anything as of yet.  What you are looking for is identification of the partitions.  If changing the heads to 255 shows you the partitions (it isn't at the moment) then your partition table is set wrong.  In this case (of 255) you save this partition table and try the reboot again.
well i changed the geometry (best i could tell) and rebooted, still just hangs, does nothing.
KW,
Acronis will not destoy your data and programs, especially if it is fairly recent.  You can tell from the date on the backups how old it is.
well i changed the geometry (best i could tell) and rebooted, still just hangs, does nothing.

When you changed the geometry did TestDisk start identifying the partitions?
@pjam

an Acronis recovery partition is used just like an image or snapshot of the pc at a given time. all changes will be lost if you revert back to that partition, all it does it copy it over to the primary partition, so in this case it will erase all thats on the C drive and replace it with the recovery image. all changes since it was first made, will be lost.


@dbrunton

im not sure how i can tell its identifying the partition the way i needs to be. it does find the partition, and has a D out beside its status, as deleted. i change it to *, for primary boot partition, and then choose "write".

however, it at least quit giving the geometry warning.

the only partitions it shows, is the main C drive, and the acronis recovery image thats hidden, and accessed via F11 upon boot.

>>  im not sure how i can tell its identifying the partition the way i needs to be. it does find the partition, and has a D out beside its status, as deleted. i change it to *, for primary boot partition, and then choose "write".

This is with the 255 head geometry?

Can you select the NTFS partition and press Enter on it and see if you can see the files within?

I'll be out for a couple of hours.


@dbrunton

ok i see now that it is not recognizing the partition and its contents. when i choose to list files, it says they "seemed to be damaged".

but there is no other partition listed other than the acronis, which its files are undamaged.

Hey

I had the same problem while testing the a couple of maleware programs.

This helped me out. I think its worth a shot.


-------------------------------------------------------------------------------------------------------------------------

XP Repair install

Please read carefully and make sure you followed the warning links before initiating the Repair Install. You can print a text version for reference. repair.txt

   1. Boot the computer using the XP CD. You may need to change the boot order in the system BIOS so the CD boots before the hard drive. Check your system documentation for steps to access the BIOS and change the boot order.
   2. When you see the "Welcome To Setup" screen, you will see the options below  

      This portion of the Setup program prepares Microsoft
         Windows XP to run on your computer:

         To setup Windows XP now, press ENTER.

         To repair a Windows XP installation using Recovery Console, press R.

         To quit Setup without installing Windows XP, press F3.
   3. Press Enter to start the Windows Setup.
       
      To setup Windows XP now and Repair Install , press ENTER. do not choose "To repair a Windows XP installation using the Recovery Console, press  R", (you Do Not want to load Recovery Console). I repeat, do not choose "To repair a Windows XP installation using the Recovery Console, press  R".
   4. Accept the License Agreement and Windows will search for existing Windows installations.
   5. Select the XP installation you want to repair from the list and press R to start the repair. If Repair is not one of the options, END setup. After the reboot read  Warning#2!
   6. Setup will copy the necessary files to the hard drive and reboot.  Do not press any key to boot from CD when the message appears. Setup will continue as if it were doing a clean install, but your applications and settings will remain intact.

       If you get files not found during the copying stage.

      Blaster worm warning: Do not immediately activate over the internet when asked, enable the XP firewall before connecting to the internet. You can activate after the firewall is enabled. Control Panel - Network Connections.  Right click the connection you use, Properties and there is a check box on the Advanced page.
I just need to check.

It shows 2 partitions.
The first one, the main one it says files are damaged?
The second one, the Acronis one, it says files are OK?
And this is on heads 255?


Note if the above was on heads 255 can you change the heads back to 240 and then answer the below.
Does it say the files are damaged for each partition.
@kimbroy

Let's not go your way yet.  There's a long way in front first.

Must determine what are the correct partition settings for this disk.  Once those are determined then see if data can be recovered.  Then check for viruses.  Then if viruses can't be removed repair/install.

At present we don't know which is the correct partition information for this disk.
i dont think i have a good shot at a repair install anyway, dont you have to know the exact install disk type that was used in the first place? could be OEM, could be retail, there are a good handful of install disks that could have been used. sort of like with DELL machines, you gotta use a dell install disk to get the repair option, the work arounds dont really apply to that situation....

but i agree...im gonna try switching the heads back to 240, and check the contents.

but dbrunton, you are correct in your assessment, two partitions, first one (primary) is corrupt, second one (acronis hidden) is not.  im gonna do a deep scan, and just see what all it finds, and i will paste the results...
Disk /dev/sda - 250 GB / 232 GiB - CHS 30401 255 63
     Partition               Start        End    Size in sectors
D HPFS - NTFS              0   1  1 28441 254 63  456920667
D HPFS - NTFS              0   1  1 30399 254 63  488375937
D HPFS - NTFS              0   1  2 30400 254 63  488392001
D HPFS - NTFS              0   1  3 28441 254 63  456920665
D FAT32 LBA            28442   1  1 30400 254 63   31471272 [ACRONIS SZ]
D HPFS - NTFS          30383   1  1 30400 254 63     289107







Structure: Ok.  Use Up/Down Arrow keys to select partition.
Use Left/Right Arrow keys to CHANGE partition characteristics:
*=Primary bootable  P=Primary  L=Logical  E=Extended  D=Deleted
Keys A: add partition, L: load backup, T: change type, P: list files,
     Enter: to continue
the above was the scan still with geometry set to 255.
setting the geometry back to 240, doing a quick scan only find the original two partitions as before, along with all the geometry warnings, and there was no change in file integrity. still saying they seem damaged.

i wont be able to work on this pc again, until the morning, headed to the house.
OK.

So the 240 H setting would look something like this

D HPFS - NTFS              0   1  1 28441 254 63  456920667
D FAT32 LBA            28442   1  1 30400 254 63   31471272 [ACRONIS SZ]

and the first partition gives file errors and the second one doesn't.

Could be the hard disk is faulty and needs testing.

Get the UBCD http://www.ultimatebootcd.com/

Download links are the icons at the top of the page above Overview.  Browse the page and see what utils are there for you.  Check the memory and hard disk utils especially.

Make the CD and boot from it.  

Then test the hard disk with the correct manufacturer's util for your hard disk.  Do the long test.  That will most likely tell you if your disk is corrupt.

If it doesn't pass stop here.

If that passes then there is corruption of the disk in some other form.  Possilby the file system.  The disk originally had heads at 240 when you used TestDisk so I'll presume that is what it was set to.  Make sure they are set for that.  Unless you've played elsewhere with the partition table.

You'd need to boot from an install CD and use the Recovery Console.

Try

chkdsk /r

Note that this may (and I'll emphasise this) destroy data.  So decided if you want to go that way.

After that run fixmbr again.

After that go back to TestDisk and set the first partition to active.
Agree, except I'd add
a) disk diagnostics must match the brand manufacture of drive, and so depending which brand, some are more user-friendly than others.  Some the long test and short test are destructive, some are non-destructive, be sure you know which
b) because exactly as dbrunton says chkdsk /r will mostly lose the data on bad blocks, you might consider getting HDDRegenerator or SpinRite and making a boot media of that and recovering bad blocks/sectors with that instead.  Use the command-line option to adjust how many times it retries, which defaults to over 2000 retries (whereas chkdsk /r is faster (forewarned, spinrite/hddr take longer) because it gives up and sets aside bad sector after only a handful of tries so the spare sector the affected files are remapped to contain nothing but zeroes instead of the data)
c) because the drive could be failing to the point of crashing, you ought not leave it unattended during tests.  If you hear click click chunk chunk sound of retries of bad blocks that's to be expected but severe grinding or scraping would indicate a crash, and if so STOP immediately
d) because these tests run risk of pushing some over the edge, you should probably try to make some kind of BACKUP first.  (Hopefully the customer has a fairly recent backup of their user data, files, photos, address book (email, unless it's online email hotmail/gmail/yahoo which is already saved there)   If not try to copy off the entire drive or at least the irreplaceable photos and files.  Programs if the have the CDs can be reinstalled or even repurchased but those irreplaceable documents cannot.  Acronis, gHost, RStudio, etc etc the fastest would likely be to copy the drive to another drive rather than burn backup disks, and most importantly, configure it to continue copying even if there are bad sector errors.
well i ran the long test from seatools (seagate hdd) and it passed.

so i booted back up to the recovery console, and after trying chkdsk /r, i get: "The volume appears to contain one or more unrecoverable problems."

before i did all this, as i said, i changed the geometry back to 240, since thats what it came up as when i first tried TeskDisk.

ive got a copy of HDD regenerator 1.71  do i want

scan and repair?
scan, but do not repair (show bad sectors)?
or regenerate all sectors in a range (even if not bad)?
>>  before i did all this, as i said, i changed the geometry back to 240, since thats what it came up as when i first tried TeskDisk.

Put the heads back to 255 and try chkdsk again.  Just chkdsk with no /r

I can't comment on HDD regenerator.  I'll let others do that.
same message after i swapped it back to 255, (unrecoverable problems). but i did notice that it tried to boot, i didnt hit "press any key" soon enough booting off the xp cd, and i got to the "boot windows normally" screen, along with the safe modes.

but none of the choices worked. but at least that is a change.

So 255 is giving you the choices of booting?

Hmm.

Back to TestDisk then.  Leave the heads at 255.

I think you've got 4 choices in the partition table of HPFS systems.  Check which one is active so you can come back to it.  Choose another one and save.  Retry the boot.  No joy then repeat until you've either tried all or found one which boots correctly.
ok so go through all 4 and write them as * (bootable primary) one  by one? or P for primary?
those 4 only come up if i do the deeper search, with heads set to 255.
OK

Then forget that idea.

>>  scan, but do not repair (show bad sectors)?

Do that with HDD Regenerator.
looks like this scan will take a while, 45min left.

35% done, and no bad sectors yet.
ASKER CERTIFIED SOLUTION
Avatar of dbrunton
dbrunton
Flag of New Zealand image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
if the C drive wont mount from a winPE state, do you think its worth trying from a usb or slaved hookup?

ERD is saying its inaccessible.

but i agree i guess the file system is just so jacked its shredded.
>>  if the C drive wont mount from a winPE state, do you think its worth trying from a usb or slaved hookup?

Nope.

If you've got the Knoppix CD you could try mounting it from that.
well dbrunton you were right, there was no saving the data, all we tried failed, i just restored the acronis partition, it was from 2008 =\.  

but thanks for all the effort.