My XP crashed and I wonder if it's done by virus.

[Zvi Netiv]

[snip]

I think some posters don't quite understand what Zvi has been talking
about. To clarify the matter (I hope) here is an excerpt from a
diagnostic taken on a customer's drive this morning:

Drive 1 C: 32301 H: 240 S: 63 Size: 249GB Last LBA: 488397168

Master Boot Record (corrupted)

0 X 114 144? 111 11 126? 101 51 218129509 17019904?
0 R 116 482? 115 3 841? 114 44 729050177 543974724
0 R 101 111? 111 41 111? 115 52 168653938 0

Candidate NTFS Partition

63 M 7 0 1 1 8123 209 63 63 122832927 Unknown
63 $ 8 63 122832926 255 63 786432 7920041 47072 0 [00]


From the initial line (begining "Drive 1") note that the BIOS is
translating with 240 heads.

Next, note obvious corruption of the MBR.

Next, see the line begining "63 $", which records data from the boot
sector of an NTFS partition in the first position. The values shown as
"255 63" are the heads and sectors values from the BPB, so we know
that when the partition was formatted the BIOS was translating with
255 heads.

The discrepancy occurs because, as Zvi wrote, the corrupted MBR causes
the BIOS auto-detect to mistranslate.

If I were to rebuild the MBR without noticing this, then any attempt
to boot the system would result in "NTLDR not found...", since the
IPL's attempt to read the MFT would fail. The mistranslation would
lead to a wrong address being used (the NTFS boot sector IPL uses CHS
mode addressing if the boot partition is located inside the 8GB
threshold).

What would happen if you tried to copy over a new NTLDR in this case?
I'm not entirely sure, but I doubt it would do any damage, assuming
the partition would even mount so that you could access it from
Recovery Console, since sector addressing would be in LBA mode at that
point (I think).

Whether file system corruption will occur depends on the persistence of the
user. In our experience, I have seen both. This risk could be easily spared by
doing a DIR C:\ from the console command line, before attempting anything else,
and verifying that the directory shows no corruption signs.

The correct translation can be restored by just zeroing the MBR and
rebooting.

For the sake of completeness, I would add that after redetecting the drive with
the zeroed partition, the MBR should be rebuilt, if the data on the drive is to
be recovered.

See the http://tinyurl.com/amerf short thread. It demonstrates how a drive
geometry problem evolves, and how to recover from.

Also, I would note that the "NTLDR is missing" error is the result of
a corrupt MFT 9 times out of 10, at least in my experience.

Most drives that I see, having experienced the NTLDR missing problem, were
victim of geometry mismatch. Yet the difference in our experiences could be due
to us (NetZ) dealing with disaster recovery, uniquely.

Best regards, Zvi

 

[Robert Green]

"Zvi Netiv" <support@replace_with_domain.com> wrote in message

[snip]

I think some posters don't quite understand what Zvi has been talking
about. To clarify the matter (I hope) here is an excerpt from a
diagnostic taken on a customer's drive this morning:

Drive 1 C: 32301 H: 240 S: 63 Size: 249GB Last LBA: 488397168

Master Boot Record (corrupted)

0 X 114 144? 111 11 126? 101 51 218129509 17019904?
0 R 116 482? 115 3 841? 114 44 729050177 543974724
0 R 101 111? 111 41 111? 115 52 168653938 0

Candidate NTFS Partition

63 M 7 0 1 1 8123 209 63 63 122832927 Unknown
63 $ 8 63 122832926 255 63 786432 7920041 47072 0 [00]


From the initial line (begining "Drive 1") note that the BIOS is
translating with 240 heads.

Next, note obvious corruption of the MBR.

Next, see the line begining "63 $", which records data from the boot
sector of an NTFS partition in the first position. The values shown as
"255 63" are the heads and sectors values from the BPB, so we know
that when the partition was formatted the BIOS was translating with
255 heads.

The discrepancy occurs because, as Zvi wrote, the corrupted MBR causes
the BIOS auto-detect to mistranslate.

If I were to rebuild the MBR without noticing this, then any attempt
to boot the system would result in "NTLDR not found...", since the
IPL's attempt to read the MFT would fail. The mistranslation would
lead to a wrong address being used (the NTFS boot sector IPL uses CHS
mode addressing if the boot partition is located inside the 8GB
threshold).

What would happen if you tried to copy over a new NTLDR in this case?
I'm not entirely sure, but I doubt it would do any damage, assuming
the partition would even mount so that you could access it from
Recovery Console, since sector addressing would be in LBA mode at that
point (I think).

Whether file system corruption will occur depends on the persistence of the
user. In our experience, I have seen both. This risk could be easily spared by
doing a DIR C:\ from the console command line, before attempting anything else,
and verifying that the directory shows no corruption signs.

Agreed. Actually I should have added the usual caveat about not
writing to a partition in an unknown state (this particular error
message definitely indicates an unknown state).

Personally, I prefer a method of reviewing the file system directly
from the recovery program while in DOS. Safer, IMO.

For the sake of completeness, I would add that after redetecting the drive with
the zeroed partition, the MBR should be rebuilt, if the data on the drive is to
be recovered.

Of course. That's what they pay us for after all .

See the http://tinyurl.com/amerf short thread. It demonstrates how a drive
geometry problem evolves, and how to recover from.

Interesting thread.

Most drives that I see, having experienced the NTLDR missing problem, were
victim of geometry mismatch. Yet the difference in our experiences could be due
to us (NetZ) dealing with disaster recovery, uniquely.

Probably so. Of course my nubers are derived from the 20% of my users
who ever bother to contact me.

Best regards, Zvi

Cheers,

Bob

 

[Zvi Netiv]

The webpage you refer to doesn't say that at all, regarding permanent
corruption of your disk by trying to replace NTLDR on it. You are talking
twaddle. The working geometry of the drive is set up by low level and high
level formatting .

I suppose you are referring to low level formatting that was performed on MFM
drives, that were common on XT machines. These drives had indeed their geometry
set through LLF by aid of the DEBUG utility.

In case you haven't been around for the last twenty years, newer drive
technologies had been introduced since then, which accept variable geometry set
through a procedure known as the CMOS setup. Concurrently, LLF disappeared from
the BIOS setup in the majority of BIOS brands.

Even if a boot virus was written to the boot sector,
writing NTLDR would not damage the disk. As long as the disk is physically
sound, it's possible to low format it

It isn't "possible" with modern drives, and not even required.

removing all partitions and then
re-partition, high level format it and start downloading the system files
again.

All that nonsense for just fixing a missing NTLDR?

Regards, Zvi

 

[Frank Booth Snr]

I suppose you are referring to low level formatting that was performed on MFM
drives, that were common on XT machines. These drives had indeed their geometry
set through LLF by aid of the DEBUG utility.

In case you haven't been around for the last twenty years, newer drive
technologies had been introduced since then, which accept variable geometry set
through a procedure known as the CMOS setup. Concurrently, LLF disappeared from
the BIOS setup in the majority of BIOS brands.


It isn't "possible" with modern drives, and not even required.

Is that a fact now? I suggest you try reading http://tinyurl.com/3hl3g for
starters.

All that nonsense for just fixing a missing NTLDR?

I think you are missing my point. You and others have mentioned the various
causes of the 'ntldr missing' error. The point I was making was what I would
do as a last resort if a boot virus was a possibility and attempts to
conventionally remove it failed.

 

[Zvi Netiv]

[snip]

It isn't "possible" with modern drives, and not even required.

Is that a fact now? I suggest you try reading http://tinyurl.com/3hl3g for
starters.

Read the page and here is what it says:

"Important drive information (servo, sector layout, and defect management, etc.)
is stored in the low-level format at the factory. This information is designed
to last the life of the drive and therefore it is not possible to low level the
drive outside the factory. Although some drive manufactures and BIOS provided
so-called "low level format utilities", they actually perform a write-read
verify of the drive's user data sectors, and do not actually perform a low-level
format."

Did I miss anything?

I think you are missing my point.

I think you don't have a clue what your point is.

You and others have mentioned the various
causes of the 'ntldr missing' error.

.... and have been talking twaddle, in your mind. ;-)

The point I was making was what I would
do as a last resort if a boot virus was a possibility and attempts to
conventionally remove it failed.

Low level format your drives as many times as you wish. Just don't offer that
nonsense to others, not even as "last resort".

Read http://tinyurl.com/c435x and learn.

Regards, Zvi