Bootrecord distroyed

[RustyDWO]

Believe it or not but the trojan UNASHAMED survived allmost 10 years on a floppy disk.
When the floppy was left in the drive and the computer was powered again the next day....... well you can all imagine what happened.
Since this virus is from the FAT periode I have not found a tool yet to clean the NTFS format as used for XP.
I duplicated the problem on a W95 machine with an infected start-up disk and there the problem was easily solved with bootscan by McAfee.
I tried for the NTFS format the Recovery Console commands like fixboot and fixmbr but sofar the disk remains unaccessible.
I also have the impression that with the fixes the format is not NTFS nomore but FAT.
As a slave, the disk is shown in explorer but useless.
Does anybody has any suggestions.
Redo the disk is a lot of work with 5 users with their own settings restrictions etc.

Thanks
Marc

 

[linney]

Here a set of jumbled thoughts, some wont work some might.

If you use a 98 or ME Startup Disk (even though your partition is NTFS) you may be able (not sure) to just about access the MBR (and nothing else) and remove the Trojan from there.

http://64.233.167.104/search?q=cach...ent/v_98799.htm+trojan+UNASHAMED+remove&hl=en

Deleting MBR on NTFS Partition
thread779-684449

Recovering NTFS Boot Sector on NTFS Partitions

http://support.microsoft.com/default.aspx?scid=kb;en-us;153973&FR=1&PA=1&SD=HSCH

If it is a virus infection you may need to boot to the Recovery Console and fix the boot sector (fixboot) to get rid of the boot sector virus, or use one of the floppy based recovery solutions.

http://groups.google.com/groups?hl=...TF-8&q=%22boot+sector+virus%22%2Bwindows%2Bxp

http://www.itsecurity.com/asktecs/apr3702.htm

http://forums.techguy.org/t122706/sd77b577d0c62e4004296e82de7090551.html

http://www.google.com/search?sourceid=navclient&ie=UTF-8&oe=UTF-8&q="boot+sector+virus"+windows+xp

http://groups.google.com/groups?sou...F-8&oe=UTF-8&q="boot+sector+virus"+windows+xp

"Go to

http://www.bootitng.com.

look for MBRWORK in the free tolls and download
it, put it on a DOS floppy (one made by formatting in XP and taking the
MSDOS Startup disk option will do).

Boot that and run MBRWORK
Use options
1 (to back up the current state, so it could be restored with 2)
3 then 4 to delete the current code and tables
there will then be a possibility of using
A
which will scan the disk for 'signatures' of partitions and rebuilt the
partition table then
5
to install standard MBR code so the disk could be booted


--
Alex Nichol MS MVP (Windows Technologies)"

http://www.bootitng.com/utilities.html

 

[bcastner]

I had a similar thought. I was able using F-Prot for DOS (

http://www.f-prot.com/products/home_use/dos/)

having booted from a DOS bootdisk to fix a similar problem, albeit it was an older version of F-Prot, and I have no idea if the current version would work.

I hope the essence of linney's suggestions above work:

. boot from an earlier DOS disk, and fdisk /MBR
. if no joy, do both FIXMBR and FIXDISK from Recovery Console.

If you have access to another machine, mount the XP volume as a slave and run Antivirus repairs from there. The volume is repairable with some effort on your part.

I sincerely hope you can recover the MBR record. Please see linney's links above for trialware and commercial possibilities.

 

[RustyDWO]

Sorry guys, nothing of the above worked.
MBRWORKS looked OK but the end result was nadda.
Found this program MADBOOT; also zippo for the regualr formats.
I think too many attemps of different programs just destroyed too much for recovery.
Doing Low Level Format now but takes a while; 20% in 4 hours!
Hopefully after that a regular fdisk will work. If not its trashcan!
Thanks for the help anyway.
Marc

 

[bcastner]

One of the interesting things going on is the efforts being made to prevent an issue such as described in this thread. Hardware DEP is one effort, and in Longhorn there is the promise that changes made by a virus such as this will be detected, the user notified, the system reverted and the damage quarantined unless it is explicitly released.

Hopefully some day the possible problem discussed in this thread will become a thing of the past.