Norton NAV corrupted boot sector?

  • Thread starter Thread starter Todd K.
  • Start date Start date
T

Todd K.

You've seen it before. NAV gives you an alert that your boot record
has changed. You select "Repair w/ backup" (or something like that).
Next thing you know,you can't boot.

This happened to me once before, but I recovered by manually
recreating mbr records and partition tables using Partition Manager
and Mbrwork.

This time the same procedures did not work for me. I first noticed
that the directory entries on the C: drive were screwy. They all were
named with 2 or 3 strange ascii characters. About 2000 files in all.
And the directory showed them from smallest about 279K to the largest
295k. Also the dates were like from year 0013 to 0045. and
coincidentally (or not) the dates were in order with the file size.
What is going on here!?

D and E drives are fine...untouched.

Anyone ever seen anything like this?

TIA,

Todd K.
 
Todd K. said:
This happened to me once before, but I recovered by manually
recreating mbr records and partition tables using Partition Manager
and Mbrwork.

Then why? Why did you okay NAV to go ahead if you have seen it before?
This time the same procedures did not work for me. I first noticed
that the directory entries on the C: drive were screwy. They all were
named with 2 or 3 strange ascii characters. About 2000 files in all.
And the directory showed them from smallest about 279K to the largest
295k. Also the dates were like from year 0013 to 0045. and
coincidentally (or not) the dates were in order with the file size.
What is going on here!?

It is likely that the boot sector for the c: partition is damaged. You would
need to repair the boot sector. I assume NAV has 'repaired' the backup boot
sector as well (offset 6), if not, then the backup boot sector can be used
to fix the situation. If the backup boot sector is affected as well, you'd
need to recreate a boot sector from scratch by figuring out the location of
FATs, the size of the FATs, cluster size etc.

DiskPatch can help verify if the backup boot sector is intact or not, and if
not to re-create a bootsector from scratch. The demo will not actually write
the corrected boot sector to disk but can be used to determine if DiskPatch
is likely to fix the problem.

Kind regards,

--
Joep

D I Y D a t a R e c o v e r y . N L - Data & Disaster Recovery Tools

http://www.diydatarecovery.nl
http://www.diydatarecovery.com

Please include previous correspondence!

DiskPatch - MBR, Partition, boot sector repair and recovery.
iRecover - FAT, FAT32 and NTFS data recovery.
MBRtool - Freeware MBR backup and restore.
 
http://service1.symantec.com/SUPPORT/nav.nsf/pfdocs/2000022417583906?Open

Changes made by a software application like Partition Magic or similar can
cause the above. Installation of a boot manager will do the same. In each
case, the change is expected should be chosen.

http://service1.symantec.com/SUPPORT/nav.nsf/pfdocs/2002012214295206?Open

http://service1.symantec.com/SUPPORT/nav.nsf/pfdocs/2003050712261806?Open

Yes, I've seen this before numerous times. Once, I made the mistake you've
noted with a previous version of NAV which did not have an undo. Removable
media image backups come in very handy in this situation. Boot sector virii
are rare unless you share media such as floppy or other type diskettes.
Dave
 
You've seen it before. NAV gives you an alert that your boot record
has changed. You select "Repair w/ backup" (or something like that).
Next thing you know,you can't boot.

That archaic "feature" of NAV should simply not be used!
This happened to me once before, but I recovered by manually
recreating mbr records and partition tables using Partition Manager
and Mbrwork.

That approach may work when only the MBR is changed, and/or the changes in the
boot sector were minor and insignificant. Obviously not that lucky.
This time the same procedures did not work for me. I first noticed
that the directory entries on the C: drive were screwy. They all were
named with 2 or 3 strange ascii characters. About 2000 files in all.
And the directory showed them from smallest about 279K to the largest
295k. Also the dates were like from year 0013 to 0045. and
coincidentally (or not) the dates were in order with the file size.
What is going on here!?

The boot sector of the first partition (C:) was replaced with one that doesn't
belong there.
D and E drives are fine...untouched.

Anyone ever seen anything like this?

Many times. To recover from that condition, it's important that no change to C:
is done, since every data manipulation on the *apparently* corrupted partition
may perpetuate the damage.

From the fact that the higher partitions are intact, one may deduce that the MBR
is intact too (D and E are on the same physical drive as C, right?), and only
the boot sector got messed up.

A tool for automatic recovery of a FAT32 boot sector from its mirror is IVINIT,
from http://resq.co.il/iv_tools.php

If the above doesn't do the trick (like when the faulty boot sector was already
mirrored), then RESQDISK /NEWBOOT /FAT32 will do it. From
http://resq.co.il/resq.php

Remember to disable NAV's boot inoculate when up and running again.

Regards, Zvi
 
Back
Top