Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Boot Record changed? 2

Status
Not open for further replies.
porty

porty

Technical User
Apr 10, 2000
23
NZ
I'm running Norton AntiVirus 2001 on a W98 2nd Ed. 466 PC.

While I was on the net just now, I got a message telling me:
"Your Boot Record, which contains critical Startup information, has changed........"

It gave me the following 3 options:
1.The change to my boot record is ok. Update the saved copy of my boot record.
2.The change is unexpected. Restore my boot record to ensure it does not contain a virus.
3.Ignore the change and do nothing.(Remember to run LiveUpdate and then scan with Norton AntiVirus)

I opted for #3 (did nothing)but updated the virus definitions and did a scan. However, all that happened was I got another of the same messages.

I remember this happened a couple of years back and I selected the restore option and crashed Windows completely - had to re-install. Someone told me later that there's no way you should restore your boot record.

What should I do? I've rebooted and nothing seems untoward. Why do these messages originate? Is there no way to run a backup of the MBR that you can restore like the registry backup?

I'm puzzled........
 
Sort by date Sort by votes
Windows writes to boot records almost every day. This usually occurs the first time a disk is accessed in a session (hard drive or floppy). Windows changes an eight byte field in the boot record (starting with the fourth byte) called the OEM ID. At one time, before the advent of Windows, this field was used to hold an identifier to indicate which OS had originally formatted the disk. Windows makes better use of the space by placing a marker to indicate that the disk has been accessed at least once in the current session.

Usually, virus checkers will understand the nature of this write and allow it without warning. Sometimes, depending on the AV's level of paranoia, it will trip an alarm and ask you if the activity is permissable. It's a shame that most virus checkers don't give you more data to allow an informed decision: "Hey dude! Windows is reminding itself that it has accessed your D: drive. Are you going to let that happen?" or This is to inform you that an unknown application has overwritten the boot record on C: with 512 bytes of deadly viral code. Would you like to reboot now to allow it a chance to infect your other drives?"

I guess software will never be that "smart". Now-a-days, you should maintain a certain level of paranoia at all times. Don't sweat it but, unless you have told Windows to modify the boot record (say, by changing the volume label), you should be suspicious of any write to this disk area... permissable or not. Ya just never know.... :)
VCA.gif

Alt255@Vorpalcom.Intranets.com
 
Upvote 0 Downvote
Thanks for your input.

No,I'd done nothing like changing the volume label to instigate any action, I was just online, surfing about the net.

I did a full scan afterwards and apart from the same Warning screen as showed up before, it reported no viruses were found. But the warning screen has shown up several times since, with no apparent cause, and does so every time I kick off another scan.

I find the whole thing very confusing. In retrospect, I must confess I don't even know what the boot record does. Or what a boot sector virus does. Is it counter-productive to restore an earlier boot record? Could it result in me needing to re-install Windows, as I was told a few years back by a Symantec telephone tech?

But if I do have some kind of gremlin lurking in my computer's innards, what on earth can it be doing? I mean, what is the point of a virus that doesn't actually do something?

And if I do have a virus, what's the point of Norton telling me about it, if indeed, the cure is worse than the disease and fixing it will result in Windows needing to be re-installed?

That in itself is kind of silly - it's like going to the doctor with some unpleasant symptoms and the doctor saying, 'Yes, you're right, you do have a disease. Please pay the receptionist on your way out'.

Unfortunately, the Norton program doesn't come with much in the way of documentation on the subject, and their website isn't exactly overburdened with answers either. I seem to recall that several years back, they used to have a pretty good knowledge base but so far I haven't dug it up.

Seems to me that I don't have too many options - I either restore the boot record and risk having to rebuild Windows or accept the new, changed boot record as normal, with whatever accompanying consequences might ensue.

 
Upvote 0 Downvote
If I read your posts correctly, NAV is reporting attempts to write to the boot record. It isn't reporting that it has found a virus.

I would suggest that you leave the boot record alone. Unless NAV actually reports a virus, go ahead and allow it to update its boot record information. If NAV scans the disk and actually finds a virus it will ask you for permission to repair the damage. It will probably tell you that you need to boot to a floppy with the DOS version (NAVDX) to remove the virus. Allow NAV to do its thing.

It would be incredibly unlikely to find an active boot sector virus on a system running NAV with auto-protection. The reason for this is that the boot sector is only 512 bytes long and every byte of it, except for Volume Label, the Volume Serial Number and the OEM ID, is critical for loading and initializing DOS. There isn't much room to hide a virus.

Boot sector viruses work by moving the real boot sector to another location on the disk and then replacing the code in sector #1. When you boot to the disk, instead of initializing the DOS loader, the loader portion of the virus starts and points to the remainder of the viral code (usually located at the end of the physical disk and most often residing in clusters the virus has marked as "bad" -- this prevents DOS from overwriting it with files). After the virus is fully active, has verified its own integrity and possibly infected other hard drives or floppies, it activates the DOS loader code in the copy of the boot sector it made when it infected the disk. DOS starts, Windows starts and everything appears to be normal.

Just remember that the virus loads before the OS and it is in absolute control. Ready to infect other disks or deliver a "payload" at its own convenience.

The payload varies. Some boot-sector virues (like StealthB and StealthC) only seek to spread to other disks (in the case of the two mentioned, there is an unintentional side-effect of FAT corruption).

The Stoned virus tells you that your computer is stoned and corrupts the FAT (if you ever boot to a floppy and a DIR C: shows you several screens of hieroglyphs, you are probably looking at an example of FAT corruption).

The Michaelangelo virus waits until the birthday of Michaelangelo and then encrypts the first 33 sectors of the hard drive (basically ruining it). There are countless variations to these schemes but my earlier point holds true for practically all of them. If you have enabled auto-protection on a modern anti-virus package you should never have to worry about infection by a boot-sector virus. There are a couple of reasons for this:

1) No self-respecting virus author would try to create a new boot sector virus because (see #2)

2) They are incredibly easy to detect, prevent and remove.

The virus authors realized quite some time ago that the boot sector is a very poor place to hide a virus. Almost every byte has to be accounted for in order to start a system and anything that can't be accounted for is likely to trigger a red-flag:

1) In the CMOS anti-virus feature, if enabled. This feature comes with almost all modern boards. Whenever something attempts to write to the boot sector this feature will pause the system and ask you if you want to allow the write. If you have decent anti-virus software you can toggle this feature off in system setup.

2) In Windows. Windows probably won't load properly unless the virus was written to provide some accomodations for it. In the case of the StealthB virus, it steals a portion of the first meg of RAM and tries to hide itself from AVs by fooling the system into believing that the first meg is actually 64kb smaller than a full meg. It worked quite well under Win3x but Win95 didn't buy the ruse and crashed. I first detected this virus on a malfunctioning system when I booted to MS-DOS and did a MEM command. The computer appeared to have less than 640kb of conventional memory. I booted to a floppy with NAV and it repaired the damage without incident.

3) In the anti-virus software. Any attempt to write to the boot record should trigger an alert. If the software is sufficiently sophisticated, like NAV 200x, it should be able to distinguish between legal writes by the OS and illicit writes by a virus.

My advice for you is to boot to a known, clean boot floppy with a copy of NAVDX.EXE. It is important that you do this after booting to a clean floppy. Some viruses are difficult to detect after they go resident and even the best AVs may miss them. Scan the hard drives and follow the recommendations. If you actually have a boot sector virus, NAV should inform you of that fact the instant it starts. Do not attempt to manually restore an earlier copy of the boot record (even allowing NAV to do this can be risky but you may not have a choice). There are a thousand ways where this could give you bad results. For instance, if one of your drives was installed using a firmware drive overlay like EZ-Drive, you will probably end up losing everthing on the disk and be forced to do a low-level format in order to use the disk again (an ordinary format probably won't do the trick).

I don't have a copy of NAV 2001, so I can't check, but I'm pretty sure you will find a "sensitivity" setting you can adjust to ignore lawful disk activity.

My SWAG is that you don't have a virus... but that is only a guess so don't rely on it. Run NAV from a clean floppy to find out. Even then, don't assume your system is clean. Be proactive: make frequent backups and always be prepared for the worst.

There is a new forum at Tek-Tips called General Virus Discussion. You will find it in the MIS/IT area. It may be best to move this discussion to that forum. There may be members with different recommendations who have seen things that I missed in your posts. In order to let the members know about the points that have already been discussed, you should copy the entire "Boot Record Changed?" thread and paste it into a new post in the General Virus Discussion forum.

Good luck!
VCA.gif

Alt255@Vorpalcom.Intranets.com
 
Upvote 0 Downvote
Thank you for the best reply I've ever had to a forum question - it's extremely comprehensive and legible and answers my query thoroughly. I'll take your advice and go through the routines you've suggested - I'll also post this entire thread to the General Virus Discussion forum so that this information is available to as many members as possible.
Once again - many thanks.
 
Upvote 0 Downvote
You are very welcome. I certainly hope that my guess was correct and you do not have a virus.

Best of luck...
VCA.gif

Alt255@Vorpalcom.Intranets.com
 
Upvote 0 Downvote
Very good, Craig. You earned two stars for the backup jacket.
Have you looked at the virus help FAQ? I've added some from your last posts. Ed Fair
efair@atlnet.com

Any advice I give is my best judgement based on my interpretation of the facts you supply.

Help increase my knowledge by providing some feedback, good or bad, on any advice I have given.

 
Upvote 0 Downvote
Thanks, Ed. I guess good deeds do not go unrewarded.

Being able to help Porty was all the reward I really needed... but thanks for the head nod!
VCA.gif

Alt255@Vorpalcom.Intranets.com
 
Upvote 0 Downvote
Just one further point about the foregoing thread - if one were to restore an earlier boot record, is it likely to cause a system crash? I'm not intending to do it, I hasten to add, it's just that this was my experience a couple of years back. I chose the restore option, then ended up having to re-install Windows (95 at the time).

And some months later, a Symantec phone tech told me that restoring a boot record was a no-no.
 
Upvote 0 Downvote
There is a chance that it could cause some rather drastic problems, such as making your disk unbootable. The severity of the problems would depend on a number of factors including the age of the boot record backup. As noted earlier, the boot record isn't a write-once-and-forget-it area.

I, personally, wouldn't have a problem with booting to DOS, making a copy of the boot sector and then immediately restoring it. I wouldn't even consider it under Windows. NT wouldn't allow it and Win9x would immediately show you a BSOD informing you that there was a problem with the hard drive and probably give you a message similar to this:
[tt]
"Please insert disk serial number 2FD6:AFF0 in drive C:"[/tt]

Windows likes to keep track of disk identities with the OEM ID field I mentioned earlier. It doesn't expect users to change hard drives like one might change floppies. (Actually, you can replicate this BSOD with a floppy drive if you try hard enough).

In changing a hard drive boot record, a Blue Screen of Death would probably be the least of your worries. If the OS changed "critical" information regarding disk partitions or file structure since your last boot record backup, restoring the backup could toast your hard drive. I have seen this problem on two systems where the users had heard about the undocumented /MBR switch for FDISK. It restores an earlier copy of the Master Boot Record. Unfortunately, the MBR backup doesn't always contain valid information.

Hope this helps.
VCA.gif

Alt255@Vorpalcom.Intranets.com
 
Upvote 0 Downvote
Ok, that makes sense. As I said, I'll take your advice and let the system update itself.
Cheers and thanks once again.
 
Upvote 0 Downvote
Craig, looks like I need a little more advice, if you wouldn't mind. Couple of things changed since my last post -firstly, I've been experiencing odd freezes and crashes and wondered if I really did have a bug somewhere. When I thought about it, I realised I had Norton 2001 set to check programs only and not files so I reset it to do a full file check and came back after 54 minutes and 120,271 files to find Norton telling me it had found a virus, Backdoor.SubSeven 2 (aka SubSevenServer 2.1)in C:\Windows\System\H@tkeysH@@k.dll (1234 bytes)

According to Norton AntiVirus, it's a 'Backdoor Trojan that creates a security hole unto (sic) your system' but the program doesn't seem too sure whether it infects EXE's or Documents as it says it affects both.(which I would have thought was unusual?)

Finding this gremlin caused me to wonder if some other strange activity that's been occurring lately, had anything to do with this bug.

At irregular intervals, a small box pops up with message 'A Runtime Error Has Occurred, Do You Wish To Debug? Line 379 Error:Object Expected YES NO' (There are 2 buttons here)

The first time it happened while I was online, and when I pushed YES, Internet Explorer crashed. So after that I pushed NO.

It hasn't happened since I cleaned out the virus, but that was only an hour ago so it mightn't mean too much.

Other than a virus (which I should be now clear of) I can't think of anything else which might produce a similar message except I seem to have 'sprouted' a couple of MS programs which I have no recollection of installing - Microsoft Development Environment 6 and a thing called Microsoft Script Editor. I'm sure I don't need these, particularly if either of them are associated with this pop-up, but I can't see any way to uninstall them.

Your comments would be appreciated.
 
Upvote 0 Downvote
Hi Porty,

SubSeven seems to be one of the most popular trojans. There aren't many around with such a devoted following... providing tutorials, easy updates and decent product support. There is even a SubSeven fan club. One really has to admire the skill required to produce a solid product with such an easy, intuitive user interface (if you haven't seen it already, you can take a look at the SubSeven client UI at
This is not intended to take your situation lightly.

I'm not sure that you, or anybody else, can find out everything that was done to your computer while the SubSeven server was active. Depending on how malicious your attacker was, he could have read your read your e-mail, looked up your credit card numbers, fiddled with your system files, hacked your registry, downloaded viruses from the Internet and installed them, copied/moved/deleted files and folders, sent e-mails threatening to kill world leaders, etc. Basically, he could have done anything that he could have done if he had walked into your home or office and sat down at your computer.

I don't really mean to scare you but I think you should feel at least a little apprehension. And I think you should take whatever steps you require to protect yourself. If I were in your shoes, I would do a quick but thorough risk assessment. Does anybody have a reason to steal from you or damage your computer or reputation? Start there and allow your imagination to be your guide. If your answer is yes then you should consider taking immediate steps (it's something you should consider, even if your answer is "no").

The problem with trojans like SubSeven is that the threat may not end after the program has been removed from your computer. Depending (as I noted) on the motivation of your attacker, he could have dropped other trojans on your computer. It doesn't take much imagination to realize that the hacker could have protected the SubSeven installation by giving you another program designed to check for SubSeven and re-install it (or another trojan) if you managed to remove it from your system.

This is entirely up to you but here is what I would do if I found out somebody had been using my computer from a remote location:

First of all, I wouldn't have removed the trojan from my system. I would have contacted the appropriate law enforcement agency (that would be the FBI in the United States) and let them handle the situation. It would have been a fairly simple matter for them to back-track, discover your attacker's identity and bust him (or contact the appropriate foreign law enforcement agency). If the FBI was reluctant to take action, I would take action on my own.

1) I would unplug my computer, remove the hard drive and use another computer to get copies of my documents (not program files).
2) I would exhaustively scan the documents for macro and scripting virii.
3) I would visit the web-site of the hard drive manufacturer and download their low-level disk utility.
4) I would perform a low-level format on the hard drive, fdisk it and do a standard high-level format.
5) I would reinstall Windows and all my software.
6) Finally, I would find a new ISP and possibly change my phone number.

This is just the course that I would pursue based on my own risk assessment. You might want to take less drastic action... but you should, at least, step back and consider what you stand to lose. Only you can make that decision.

Good luck and post back with your results. It could help other members make similar decisions.
VCA.gif

Alt255@Vorpalcom.Intranets.com
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

pjw001
  • Locked
  • Question
Windows 11 Screen Colours have changed (slightly) 3
Replies
14
Views
1K
pjw001
pjw001
Rosciano
  • Locked
  • Question
Blue screen during the boot.
Replies
1
Views
80
gbaughma
gbaughma
Randy_F
  • Locked
  • Question
Windows 10 Will only boot with a USB drive inserted??? 2
Replies
4
Views
179
Ferdinand Schultz
Ferdinand Schultz
Keyboy
  • Locked
  • Question
Boot software
Replies
3
Views
115
Keyboy
Keyboy
javierdlm001
  • Locked
  • Question
My Windows Boot Manager is gone! 1
Replies
9
Views
149
edfair
edfair

Part and Inventory Search

Sponsor

Back
Top