Boot Sector Virus

[kitkat22]

Here's the low down.
1) Neighbor downloads an attachment in Outlook and opens it. Opps!
2) Turns off computer thinking he might save it. Opps!
3) Computer restarts to BSOD. Ouch!
4) Master's project is on harddrive with no backup. Dang!

OK, knowing that, is there any way to salvage anything from the drive? or is this a reformat and say, "I'm sorry," type of thing?

I'm somewhat familiar with BartPE and www.ubcd.com, but not quite sure how they all work.

 

[AsianriceX]

1. Slave hard drive in working computer
2. Extract data
3. Reformat and reinstall OS
4. Drink a six-pack

 

[Malak]

Originally posted by: AsianriceX
1. Slave hard drive in working computer
2. Extract data
3. Reformat and reinstall OS
4. Drink a six-pack

Doesn't always work.

 

[fogeyman]

And the virus may follow the data.

 

[CrispyFried]

step 1.5 : run antivirus software on the slave infected drive
step 2.5 : run fdisk /mbr on infected drive (might have to be a master.. boot to a write protected dos disk to do it)

 

[montag451]

As Crispy says.

 

[kitkat22]

Today I attempted to get the drive to run on my Athlon 2000+ machine. I had trouble with the Master/Slave drive thingy and I couldn't get the laptop drive to read. Both drives work because I ran all the diagnostics stuff on the virus-infected drive before plugging it into my machine. However, despite the fact the laptop drive works I couldn't get my computer to read it. I checked the cables and jumpers to no avail. I have a 40GB WD IDE drive from ages back in the machine and somehow I believe that drive was the culprit. When I stuck the jumper in the Master position the drive would no longer function even without the virus infected drive. As soon as I remove the pin the drive starts right up and no problems. Anyway, looks like I'm going to need a new drive.

Fortunately, he mentioned this was actually a minor project that would only take him a few hours to redo, so I stopped worrying about it. I told him he needs to have at least a USB drive to back his stuff up in the future.

Thanks, everyone for your replies

 

[Bekker]

Originally posted by: CrispyFried
step 1.5 : run antivirus software on the slave infected drive
step 2.5 : run fdisk /mbr on infected drive (might have to be a master.. boot to a write protected dos disk to do it)

My daughter is having all sorts of problems due to what I assume is a virus. The computer will boot, but when ANY program or other is opened, the computer comes to a schreeching halt and gives various inconsistent messages. She is running XP home, but once was given the message that "NT Administrator" caused the shutdown, another time memory fault, another time services.exe and another time lsass.exe.

I am somewhat computer literate but not in enough depth to handle this one without help. I had thought of using the HD as a slave and scanning from another system, as you have described. But, I do not want to take any chances of infecting the system I will be scanning from. Is there ANY chance of that if I have antivirus protection on the system?

Thanks in advance.

 

[mountcarlmore]

there is a chance, although not a very high one if the defenitions are up to date.

 

[Bekker]

thanks .. will try it.

 

[Bekker]

Originally posted by: mountcarlmore
there is a chance, although not a very high one if the defenitions are up to date.

Just happened to think. If I run the antivirus from another system's drive and a virus is found, can it actually be removed from the slave drive since I assume the antivirus program modifies the registry and the only registry open will be for the system to which I booted? Is that correct and if so, will I have to continue to use the infected drive as a slave?

Thanks

 

[kitkat22]

Bekker,
I would essentially just take off any files that were on the drive that are important and just do a reformat you would save a lot of time in the long run. That was what I was trying to do here, but I have a difficult computer You can do a repair installation, but I've found those to spotty in their success rate. Good luck!

 

[Bekker]

Originally posted by: cscpianoman
Bekker,
I would essentially just take off any files that were on the drive that are important and just do a reformat you would save a lot of time in the long run. That was what I was trying to do here, but I have a difficult computer You can do a repair installation, but I've found those to spotty in their success rate. Good luck!

I would like to just take the files needed off the infected drive, but cannot open anything because I immediately get an error and reboot. I did not know/think I could get the files by booting in the safe mode but just now tried and was able to open the programs that way. She does not have a burner so I tried installing a USB drive and it detected and works, so I may be able to get what she has to have. I do not know if she has hard copies of all the programs she will needs to reload, but saving the data was the most important thing.

Thanks!

 

[CrispyFried]

just make sure you run up to date av software on the machine you put the data back on. scan the usb drive 1st thing when its plugged in, before accessing anything on it.

 

[kitkat22]

So here is the final installment of what happened. He toke the laptop to the IT dept. on campus and they were able to retrieve all the documents he needed. The solution involved using a Knoppix CD to gain access to the hard drive! (Slaps forehead) Well, of course!!! Why didn't I think of that! Actually I feel kindof stupid for not thinking of it, but hey at least now I know and knowing is half the battle

 

[Bekker]

I suceeded in running a virus scan while in the safe mode but found none. I need advice. Does the scan run in safe mode find all viruses or must it be run in standard mode?

Secondly, are there other things that can result in total shutdowns and restarts everytime anything is attempted to be opened that also produce many different, inconsistent error messages? The computer runs great in safe mode and not at all in standard.

Thanks

 

[kitkat22]

Bekker,
What type of computer are running? Can you give all the specs? What AV program are you running?
Here are some other things you can do:
1) Run Memtest overnight - if there are any errors you know that it is the RAM at fault
2) Run your HDD utilities - see if there are any errors on the hard drive
2) Have you run Antispyware software?
3) What programs have you intsalled recently? Try uninstalling those and see what happens.
4) Have you installed two AV programs or Firewall programs on top of each other?

It could be anything from the Powersupply to the RAM or the OS has just become corrupted.

 

[Bekker]

Originally posted by: cscpianoman
Bekker,
What type of computer are running? Can you give all the specs? What AV program are you running?
Here are some other things you can do:
1) Run Memtest overnight - if there are any errors you know that it is the RAM at fault
2) Run your HDD utilities - see if there are any errors on the hard drive
2) Have you run Antispyware software?
3) What programs have you intsalled recently? Try uninstalling those and see what happens.
4) Have you installed two AV programs or Firewall programs on top of each other?

It could be anything from the Powersupply to the RAM or the OS has just become corrupted.

Thanks. I am not sure of all the specs because it is my daughter's and she did not have them, but I do know it is a Compaq Presario running a 1.8 P4 processor. It has 512 meg memory, but I am not sure of brand, etc as I imagine it is whatever Compaq used. OS is XP home. It has very few add ons, if any. She has cd and floppy drives. They might have added a video card, but that is doubtful.

To my knowledge they have not installed any new programs for a long time.

I ran an antispyware program and found 19 objects that I removed. I also ran the antivirus program to no avail, but I have no idea if they have the latest additions and cannot check because I cannot get it online. I do not know which programs they use for spyware and antivirus since I got to them through icons and paid no attention since I could not update/change them.

I have doubts that it is memory related because it is absolutely stable when running safe mode. I may try changing the memory today to see if that matters, but first have to see what kind it uses. I do not know if I can run memtest w/o downloading a program. Does XP have this utility?

I am considering stripping it of everything I can and then adding one device at a time to see if there are any problem devices. If it reboots with errors with nothing but essentials that will narrow it to mem, power supply, OS, or motherboard I assume.

Thanks again