FixMBR says I have on-standard or invalid boot record

[ronrobjoe]

I was concerned about getting very bad virus that is going around Europe
that writes (Storm Virus?( and hides itself on the Master Boot Record. So I
use the Recovery Cosole to enter the command fixmbr and stopped because I got
this message:

This computer appears to have a non-standard or invalid boot record.
Fixmbr may damage your partition tables if you proceed.
This could cause all the partitions on the current hard disk to become
inaccesible .
If you are not having problems accessing your drive, do not continue
Are you sure you want to write a new mbr?

I answer no. I am concerned that I may already have the virus because I have
a router and I notice all lot of activity, send receive lights flashing on it
when I am doing nothing on the internet, especially later in the evening.

Can anyone tell me what the recovery console meant in its message about my
hard disk mbr being non-standard or invalid and being unable to access it if
I processed with the fixmbr.

 

[sgopus]

it depends on what brand of compuer you have, since you didn't specify, we
can't answer.
ie if HP they tend to use their own mbr to access the repair partition.

 

[ronrobjoe]

You are right - my pc is an HP. Have you run into this problem before?

 

[John John]

It always says that when you run fixmbr, unless you have DDO (which is
highly unlikely in this day and age) or other programs that hook into
the mbr (like GoBack) you can use the command and it won't cause you to
lose the partitions.

That being said, there are some mbr virus that cannot or should not be
repaired by using the fixmbr command, I have not researched the
particular virus that you have, it is up to you to do your homework and
assure yourself that using fixmbr to remove the virus will not cause
further damages.

John

 

[ronrobjoe]

Thanks John, the research I did said this virus would be fixed or prevented
by the fixmbr command so I will try it.
Ron

 

[John John]

In that case it should work without damaging the partition table.

John

 

[ronrobjoe]

Since our last correspondence, I contacted Hp support Chat and they advised
me not to use the command but to contact Norton, my anti-virus provider, and
get their advise, which is really what you said in the first place. So i
won't use the command and will do more work with Norton.

Thanks for the help. With your advice and HP's, I am pretty certain I should
be very careful about using the fixmbr command. Have a great night.
Ron

 

[sgopus]

Yes, I have!
I followed hp's recovery instructions to the letter and never did get the
blasted thing to properly recover the operating system, once it was
supposedly restored, it kep booting back into the recovery partition instead
of the recovered OS, it died during the process (something on the MB) and I
gave up, I would have loved to resolve the issue.

 

[ronrobjoe]

Same thing happened to me exactly in just trying to install the recovery
console and I had to do a destructive recovery and have just spent three days
getting the os back in place and re-installing all my programs. Had I not had
a slave drive with all my data on it I would have lost 17 years of writing
and 7,000 pieces of music. All this could have been avoided if they had just
given me the damn win xp CD in the first place.
Good to know I'm not the only one who followed instructions and ended up to
my ears in alligators from Hp & Microsoft.

Have an eventful computing day - a good day that is.

 

[PA Bear [MS MVP]]

If you had such an infection, believe me, you'd *know* about it.

Unexplained computer behavior may be caused by deceptive software
http://support.microsoft.com/kb/827315

Run a /thorough/ check for hijackware, including posting your hijackthis log
to an appropriate forum.

Checking for/Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://aumha.net/viewtopic.php?t=5878
http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://defendingyourmachine2.blogspot.com/
http://www.elephantboycomputers.com/page2.html#Removing_Malware

When all else fails, HijackThis v2.0.2
(http://aumha.org/downloads/hijackthis.exe) is the preferred tool to use.
It will help you to both identify and remove any hijackware/spyware with
assistance from an expert. **Post your log to
http://forums.spybot.info/forumdisplay.php?f=22,
http://castlecops.com/forum67.html,
http://forums.subratam.org/index.php?showforum=7,
http://aumha.net/viewforum.php?f=30, or other appropriate forums for expert
analysis, not here.**

If the procedures look too complex - and there is no shame in admitting this
isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA) computer repair shop.

 

[mayayana]

I followed hp's recovery instructions to the letter and never did get the

blasted thing to properly recover the operating system, once it was
supposedly restored, it kep booting back into the recovery partition instead
of the recovered OS, it died during the process (something on the MB) and I
gave up, I would have loved to resolve the issue.

This may not help you much now, but any boot
program would allow you to take control of that
problem. I have a HP on which I use disk image backup
and keep multiple copies installed for testing software, etc.
So I have partitions something like:

Recovery partition | XP1 | XP2 | Data1 | Data2 | Data3

I use BootIt for all partition work, booting and imaging.
If, for some reason, I decide that I want to reinstall
the original HP version of XP with all the original "shovelware",
I can just put the recovery partition on my boot menu,
reboot, and select the recovery partition for booting.

 

[John John]

This may not help you much now, but any boot
program would allow you to take control of that
problem.

Yes indeed, actually one could have used fdisk to change the active
partition and it should have taken care of the problem.

John

 

[VanguardLH]

in message

I was concerned about getting very bad virus that is going around
Europe
that writes (Storm Virus?( and hides itself on the Master Boot
Record. So I
use the Recovery Cosole to enter the command fixmbr and stopped
because I got
this message:

This computer appears to have a non-standard or invalid boot record.
Fixmbr may damage your partition tables if you proceed.
This could cause all the partitions on the current hard disk to
become
inaccesible .
If you are not having problems accessing your drive, do not continue
Are you sure you want to write a new mbr?

I answer no. I am concerned that I may already have the virus
because I have
a router and I notice all lot of activity, send receive lights
flashing on it
when I am doing nothing on the internet, especially later in the
evening.

Can anyone tell me what the recovery console meant in its message
about my
hard disk mbr being non-standard or invalid and being unable to
access it if
I processed with the fixmbr.

Have you installed any software that usurps the bootstrap record
(first 446 bytes) of the MBR (first and unusable sector)? Boot
managers, backup programs, disk encryption programs, and others will
replace the bootstrap program with their own.

These good usurpers do not alter the partition table. Viruses might
change the offset of where to find the partition descriptors in the
MBR. That means a good bootstrap program that looks at the standard
offsets will not properly find the start of your partitions. So
FIXMBR is warning you that something in the bootstrap area does not
look like a standard bootstrap program. Every version of DOS and
Windows has had a slightly different set of bytes for their "standard"
bootstrap program. Grub used with Linux would be a different set of
bytes. I'm not sure how FIXMBR could determine what is a standard
bootstrap program since every version of them is different, so it is
probably telling you that what is in the MBR's bootstrap area is
different that what it will put there.

While I haven't specifically done this, you could use a utility that
reads and saves a copy of the MBR, like 'mbrtool', and then go look in
the saved file to see if there are any strings that identify whose
bootstrap program is located in the first 446 bytes. I'd have to
download mbrtool, use it to create the bootable floppy, and reboot my
host to find out what was in the saved mbr file but that would
interrupt my reply here plus I really don't have that much impetus to
go through all that.

 

[VanguardLH]

in message



Have you installed any software that usurps the bootstrap record
(first 446 bytes) of the MBR (first and unusable sector)? Boot
managers, backup programs, disk encryption programs, and others will
replace the bootstrap program with their own.

These good usurpers do not alter the partition table. Viruses might
change the offset of where to find the partition descriptors in the
MBR. That means a good bootstrap program that looks at the standard
offsets will not properly find the start of your partitions. So
FIXMBR is warning you that something in the bootstrap area does not
look like a standard bootstrap program. Every version of DOS and
Windows has had a slightly different set of bytes for their
"standard" bootstrap program. Grub used with Linux would be a
different set of bytes. I'm not sure how FIXMBR could determine
what is a standard bootstrap program since every version of them is
different, so it is probably telling you that what is in the MBR's
bootstrap area is different that what it will put there.

While I haven't specifically done this, you could use a utility that
reads and saves a copy of the MBR, like 'mbrtool', and then go look
in the saved file to see if there are any strings that identify
whose bootstrap program is located in the first 446 bytes. I'd have
to download mbrtool, use it to create the bootable floppy, and
reboot my host to find out what was in the saved mbr file but that
would interrupt my reply here plus I really don't have that much
impetus to go through all that.

Also, running FIXMBR when not necessary could end up damaging access
to the partitions in your system. What would happen if you lost power
while it ran (it runs very quickly but does take time to run) and you
did not have a UPS to keep your computer powered up? If you had
whole-disk encryption software employed in your system that used the
MBR bootstrap program to decrypt your volumes, well, a standard
bootstrap program won't do any decrypting and you lose access to all
the content of your disks. If you don't know that you need to replace
the bootstrap program in the MBR whether because you want to get rid
of a prior usurper (like a bootmanager) and return to a standard boot
loader or because you suspect a viral infection but have no proof then
don't do it. As mentioned by others, and although you are not running
a 3rd party boot manager, the maker of your computer may be using
their own boot manager for special reasons, like accessing a normally
hidden partition wherein lies the recovery image for restoring your
computer back to its buy-time state.

"Storm" covers several varieties of the pest; see
http://preview.tinyurl.com/yt8rdl. I looked at a couple and they did
not mention that the MBR's bootstrap area got overwritten by the pest.
So running FIXMBR may not only be superfluous but not worth the risk.

If your anti-virus program doesn't detect the varieties of the Storm
pest then get a different and better anti-virus program. In your
other post, you mention using Norton. That is a brand name, not a
product name. Has Norton Anti-Virus alerted you to an infection?
Seem Symantec knows about this pest; see
http://preview.tinyurl.com/yrr66w. Stop trying to fix problems or
eradicate pests that do not yet exist on your host - but maybe you
should go update the virus signature database for NAV if the automatic
update is not working.

 

[John John]

VanguardLH wrote:

So FIXMBR
is warning you that something in the bootstrap area does not look like a
standard bootstrap program...

I'm not sure
how FIXMBR could determine what is a standard bootstrap program since
every version of them is different, so it is probably telling you that
what is in the MBR's bootstrap area is different that what it will put
there.

AFAIK fixmbr always returns that warning message. Do a brand new
installation and try it, or try in on the installation that you have now
and even if you have never changed or touched your mbr it will still
give you the warning message. What you say may or may not be true,
there is no way of knowing by reading that warning message whether or
not you have a non-standard or invalid master boot record, or whether or
not a different mbr will be written to the disk.

John

 

[sgopus]

yeah, thanks when I was going to do that, the Motherboard died and the age of
the pc decided for me not to buy a replacement MB, somwhere I have bootit or
boot magic I'd have to find it again, I should have that located with my
other utilities LOL