MBR is damaged
If available, the Description of the relevant malware may provide removal details tailored to the suspect malware or specific infection scenario.
If specific removal instructions are not yet available, this page provides more general actions for repairing an infected MBR. Click the link to jump to the relevant instructions:
Automatic Disinfection
In some cases, F-Secure's security products can disinfect the MBR without further action from the user.
If you suspect this is the case, you may wish to send a sample of the suspect MBR to our Labs for further analysis.
In certain cases, a user may attempt to manually replace the suspect MBR with a clean version.
Users attempting manual data recovery and repair may want to use our free utility program, the F-Secure Rescue CD, to do so.
Author: Systemintegrasjon AS
Version: 1.3.0.0 File Date: 8/5/2009 Number of Downloads: 291601 File size: 136 K
File Description:
Tool to fix or create Master Boot Record (MBR) on harddisks, for instance when using Windows PE. With an x64-edition as well as the 32-bit edition.
Now with support for Windows Vista and Windows 7 MBR's!
The new version has some new, cool features, like creating DOS boot sectors, changing partition types, etc!
Read more
Auch wenn das Tool
Schuld
ist die althergebrachte Technik des Bootens auf BIOS-basierten
Rechnern, an der auch moderne Betriebssysteme nichts ändern können;
die sind ja zu diesem Zeitpunkt noch nicht in Funktion. Der PC liest
nach dem Einschalten zunächst die ersten 512 Byte der ersten Festplatte
ein und kennt danach die darauf vorhandenen Partitionen sowie die
Sektor-Adresse eines Bootloaders, zu dem er springt und dessen Code er
abarbeitet.
Unter Windows seit NT führt dies dann dazu, dass der Bootmanager aufgerufen wird. Es handelt sich bei aktuellen Windows-Versionen um das Programm
Gibt es nichts auszuwählen, etwa weil sich nur ein OS auf dem Rechner befindet und der Benutzer nicht ‹F8› gedrückt hat, sieht man von diesem Vorgang nichts. Vor Windows Vista/Windows Server 2008 hieß das Programm
Wenn man so will, handelt es sich dabei jeweils bereits um ein rudimentäres Betriebssystem: Immerhin kann es Informationen anzeigen und Eingaben entgegennehmen sowie diese verarbeiten. Das mehrstufige Booten birgt jedoch auch einige Fehlerquellen, und zwar an jeder der Stufen:
The Master Boot Record (MBR) will be created when you
create the first partition on the hard disk. It is very important data
structure on the disk. The Master Boot Record contains the Partition
Table for the disk and a small amount of executable code for the boot
start. The location is always the first sector on the disk.
The first 446 (0x1BE) bytes are MBR itself, the next 64
bytes are the Partition Table, the last two bytes in the sector are a
signature word for the sector and are always 0x55AA.
For our disk layout we have MBR:
Physical Sector: Cyl 0, Side 0, Sector 1 000000000 33 C0 8E D0 BC 00 7C FB 50 07 50 1F FC BE 1B 7C 3AZ??.|uP.P.u?.| 000000010 BF 1B 06 50 57 B9 E5 01 F3 A4 CB BE BE 07 B1 04 ?..PW?a.o¤E??.±. 000000020 38 2C 7C 09 75 15 83 C6 10 E2 F5 CD 18 8B 14 8B 8,|.u.??.aoI.‹.‹ 000000030 EE 83 C6 10 49 74 16 38 2C 74 F6 BE 10 07 4E AC i??.It.8,to?..N¬ 000000040 3C 00 74 FA BB 07 00 B4 0E CD 10 EB F2 89 46 25 <.tu»..?.I.eo‰F% 000000050 96 8A 46 04 B4 06 3C 0E 74 11 B4 0B 3C 0C 74 05 –SF.?.<.t.?.<.t. 000000060 3A C4 75 2B 40 C6 46 25 06 75 24 BB AA 55 50 B4 :Au+@?F%.u$»?UP? 000000070 41 CD 13 58 72 16 81 FB 55 AA 75 10 F6 C1 01 74 AI.Xr.?uU?u.oA.t 000000080 0B 8A E0 88 56 24 C7 06 A1 06 EB 1E 88 66 04 BF .Sa?V$C.?.e.?f.? 000000090 0A 00 B8 01 02 8B DC 33 C9 83 FF 05 7F 03 8B 4E ..?..‹U3E?y..‹N 0000000A0 25 03 4E 02 CD 13 72 29 BE 46 07 81 3E FE 7D 55 %.N.I.r)?F.?>?}U 0000000B0 AA 74 5A 83 EF 05 7F DA 85 F6 75 83 BE 27 07 EB ?tZ?i.U…ou??'.e 0000000C0 8A 98 91 52 99 03 46 08 13 56 0A E8 12 00 5A EB S?'R™.F..V.e..Ze 0000000D0 D5 4F 74 E4 33 C0 CD 13 EB B8 00 00 00 00 00 00 OOta3AI.e?...... 0000000E0 56 33 F6 56 56 52 50 06 53 51 BE 10 00 56 8B F4 V3oVVRP.SQ?..V‹o 0000000F0 50 52 B8 00 42 8A 56 24 CD 13 5A 58 8D 64 10 72 PR?.BSV$I.ZX?d.r 000000100 0A 40 75 01 42 80 C7 02 E2 F7 F8 5E C3 EB 74 49 .@u.B€C.a?o^AetI 000000110 6E 76 61 6C 69 64 20 70 61 72 74 69 74 69 6F 6E nvalid partition 000000120 20 74 61 62 6C 65 00 45 72 72 6F 72 20 6C 6F 61 table.Error loa 000000130 64 69 6E 67 20 6F 70 65 72 61 74 69 6E 67 20 73 ding operating s 000000140 79 73 74 65 6D 00 4D 69 73 73 69 6E 67 20 6F 70 ystem.Missing op 000000150 65 72 61 74 69 6E 67 20 73 79 73 74 65 6D 00 00 erating system.. 000000160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000180 00 00 00 8B FC 1E 57 8B F5 CB 00 00 00 00 00 00 ...‹u.W‹oE...... 000000190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0000001A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0000001B0 00 00 00 00 00 00 00 00 A6 34 1F BA 00 00 80 01 ........¦4.?..€. 0000001C0 01 00 07 FE 7F 3E 3F 00 00 00 40 32 4E 00 00 00 ...?>?...@2N... 0000001D0 41 3F 06 FE 7F 64 7F 32 4E 00 A6 50 09 00 00 00 A?.?d2N.¦P.... 0000001E0 41 65 0F FE BF 4A 25 83 57 00 66 61 38 00 00 00 Ae.??J%?W.fa8... 0000001F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA ..............U?What will happen if the first sector has been damaged (by virus, for example)?
Lets overwrite the first 16 bytes with zeros.
000000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000000010 BF 1B 06 50 57 B9 E5 01 F3 A4 CB BE BE 07 B1 04 ?..PW?a.o¤E??.±.
When we try to boot after hardware testing procedures,
we see just blank screen without any messages. It means the piece of
code at the beginning of the MBR could not be executed properly.
That's why even error messages could not be displayed.
However, if we boot from the floppy, we can see FAT partition, files on
it and we are able to perform standard operations like file copy,
program execution...
It happens because in our example only part of the MBR
has been damaged which does not allow the system to boot properly.
However, the partition table is safe and we can access our drives when
we boot from the operating system installed on the other drive.
What will happen if sector signature (last word 0x55AA) has been removed or damaged?
Lets write zeros to the location of sector signature.
Physical Sector: Cyl 0, Side 0, Sector 1 0000001E0 41 65 0F FE BF 4A 25 83 57 00 66 61 38 00 00 00 Ae.??J%?W.fa8... 0000001F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
When we try to boot now, we see an error message like "Operating System not found".
Thus the first thing if computer does not boot is to
run Disk Viewer and check the first physical sector on HDD, whether it
looks like valid MBR or not:
- check, may be it's filled up with zeros or any other single character
- check whether error messages (like you can see above "Invalid partition table"...) are present or not
- check whether disk signature (0x55AA) is present or not
The simplest way to repair or re-create MBR is to run Microsoft's standard utility called FDISK with a parameter /MBR, like
A:\> FDISK.EXE /MBR
FDISK is a standard utility included in MS-DOS, Windows 95, 98, ME.
If you have Windows NT / 2000 / XP, you can boot from
startup floppy disks or CD-ROM, choose repair option during setup, and
run Recovery Console. When you are logged on, you can run FIXMBR command
to fix MBR.
Also you can use third party MBR recovery software or
if you've created MBR backup, restore it from there (Active@ Partition
Recovery has such capabilities).
What will happen if the first sector is bad/unreadable?
Most likely we'll get the same black screen, which we
got when trying to boot. When you try to read it using Disk
Viewer/Editor you should get an error message saying that sector is
unreadable. In this case recovery software is unable to help you to
bring HDD back to the working condition, i.e. physical partition
recovery is not possible.
The only thing that can be done is to scan and search
for partitions (i.e. perform virtual partition recovery), and in case if
something is found — display them and give the user an opportunity to
save important data to another location. Third party software, like
Active@ File Recovery, will help you here.
==========================
Master Boot Record (MBR) Repair
Infections in the Master
Boot Record (MBR) are a tricky business, and may sometimes require a
user to take additional steps to completely remove the infection.If available, the Description of the relevant malware may provide removal details tailored to the suspect malware or specific infection scenario.
If specific removal instructions are not yet available, this page provides more general actions for repairing an infected MBR. Click the link to jump to the relevant instructions:
Automatic Disinfection
In some cases, F-Secure's security products can disinfect the MBR without further action from the user.Alternatives
If a suspicious hidden file is detected and FSAV does not immediately remove the file, there are several actions you can perform by manually selecting one of the displayed option:- If you don't want to do anything about the hidden item, select "None" as the action
- If you don't want to be notified about the file in the future, select "Exclude" as the action
- If you are sure the item is not part of a normal program, you can rename it by selecting "Rename" as the action. This will prevent the hidden program from starting in the future. You should use the "Rename" action very carefully, because renaming important files may break the computer.
Contact Support
In certain cases, more complex malware (e.g., rootkits) may have sufficiently altered the MBR so that regular automatic disinfection is not possible, or not fully effective.If you suspect this is the case, you may wish to send a sample of the suspect MBR to our Labs for further analysis.
Submitting a sample of an infected MBR
For detailed instructions on how to obtain a sample of the suspect MBR for submission, please see the following Support KB Article:Advanced: Manual MBR Repair
Note: MBR repair, if incorrectly performed, may result in additional damage; it is only advisable for advanced users.In certain cases, a user may attempt to manually replace the suspect MBR with a clean version.
Users attempting manual data recovery and repair may want to use our free utility program, the F-Secure Rescue CD, to do so.
Additional Options
Windows includes tools to replace an infected MBR with a copy of the original, clean MBR. To do so:- Boot into the Recovery Console.
- Depending on the operating system in question, run the appropriate command on all infected drives:
- On Windows XP, run: fixmbr
- On Windows 7, run: bootrec /mbr
=============================
nstructions
1
Run MbrFix.exe from floppy drive, optical disk drive or from USB and
follow the on screen instructions.
2
Check your boot preference in BIOS settings and select optical drive
as a first preference. Now insert bootable DVD of windows into your
optical disk drive and restart the pc.
[BIOS_advancedBIOS]
3
Once boot process is completed, you will have to set “Language”,
“Time” and “Keyboard” preferences, best option is to set them to default
settings and continue.
[windows-7-install-5]
4
Now you will come up with several options. Click on the “Repair Your
Computer” option, it will give you access to a window used for System
Recovery. Now select command prompt from here. You need to get into the
command prompt to to run Bootsect.exe utility. This utility is located
inside the boot folder of windows. You need to change your current
directory to boot folder. The syntax to change the directory is “CD [/D]
[drive:][path]”.
5
Now execute “bootsect /nt60 C:/ “ without including the quotes
assuming that you had windows 7 installed in C: drive. This will repair
your windows partition. Eject your windows DVD and restart your
computer.
Your windows will now boot normally.
Read more at: How to Repair Corrupted Master Boot Record (MBR) on Windows 7 http://www.stepbystep.com/how-to-repair-corrupted-master-boot-record-mbr-on-windows-7-1249/
Read more at: How to Repair Corrupted Master Boot Record (MBR) on Windows 7 http://www.stepbystep.com/how-to-repair-corrupted-master-boot-record-mbr-on-windows-7-1249/
nstructions
1
Run MbrFix.exe from floppy drive, optical disk drive or from USB and
follow the on screen instructions.
2
Check your boot preference in BIOS settings and select optical drive
as a first preference. Now insert bootable DVD of windows into your
optical disk drive and restart the pc.
[BIOS_advancedBIOS]
3
Once boot process is completed, you will have to set “Language”,
“Time” and “Keyboard” preferences, best option is to set them to default
settings and continue.
[windows-7-install-5]
4
Now you will come up with several options. Click on the “Repair Your
Computer” option, it will give you access to a window used for System
Recovery. Now select command prompt from here. You need to get into the
command prompt to to run Bootsect.exe utility. This utility is located
inside the boot folder of windows. You need to change your current
directory to boot folder. The syntax to change the directory is “CD [/D]
[drive:][path]”.
5
Now execute “bootsect /nt60 C:/ “ without including the quotes
assuming that you had windows 7 installed in C: drive. This will repair
your windows partition. Eject your windows DVD and restart your
computer.
Your windows will now boot normally.
Read more at: How to Repair Corrupted Master Boot Record (MBR) on Windows 7 http://www.stepbystep.com/how-to-repair-corrupted-master-boot-record-mbr-on-windows-7-1249/
Read more at: How to Repair Corrupted Master Boot Record (MBR) on Windows 7 http://www.stepbystep.com/how-to-repair-corrupted-master-boot-record-mbr-on-windows-7-1249/
nstructions
1
Run MbrFix.exe from floppy drive, optical disk drive or from USB and
follow the on screen instructions.
2
Check your boot preference in BIOS settings and select optical drive
as a first preference. Now insert bootable DVD of windows into your
optical disk drive and restart the pc.
[BIOS_advancedBIOS]
3
Once boot process is completed, you will have to set “Language”,
“Time” and “Keyboard” preferences, best option is to set them to default
settings and continue.
[windows-7-install-5]
4
Now you will come up with several options. Click on the “Repair Your
Computer” option, it will give you access to a window used for System
Recovery. Now select command prompt from here. You need to get into the
command prompt to to run Bootsect.exe utility. This utility is located
inside the boot folder of windows. You need to change your current
directory to boot folder. The syntax to change the directory is “CD [/D]
[drive:][path]”.
5
Now execute “bootsect /nt60 C:/ “ without including the quotes
assuming that you had windows 7 installed in C: drive. This will repair
your windows partition. Eject your windows DVD and restart your
computer.
Your windows will now boot normally.
Read more at: How to Repair Corrupted Master Boot Record (MBR) on Windows 7 http://www.stepbystep.com/how-to-repair-corrupted-master-boot-record-mbr-on-windows-7-1249/
Read more at: How to Repair Corrupted Master Boot Record (MBR) on Windows 7 http://www.stepbystep.com/how-to-repair-corrupted-master-boot-record-mbr-on-windows-7-1249/
=============================
Instructions- Insert the Windows 7 installation DVD and boot from your DVD drive. You may have to change the boot order through system BIOS to boot from your DVD.
- Choose your default "Language," "Time" and "Keyboard Input" on the first window and click "Next."
- Click on the "Repair Your Computer" option to gain access to the System Recovery window. Now choose "Command Prompt" to run the Bootsect.exe utility. Bootsect is located inside the boot folder so change your directory to boot. Now run "bootsect /nt60 C:\" (without quotes) if you had Windows 7 initially installed in the C partition. Alternatively, you can run "bootsect /nt60 SYS" or "bootsect /nt60 ALL" (without quotes) to repair the system partition or all partitions. Eject the DVD and restart your computer. Your computer should now boot Windows 7 again.
=============================
Author: Systemintegrasjon ASVersion: 1.3.0.0 File Date: 8/5/2009 Number of Downloads: 291601 File size: 136 K
File Description:
Tool to fix or create Master Boot Record (MBR) on harddisks, for instance when using Windows PE. With an x64-edition as well as the 32-bit edition.
Now with support for Windows Vista and Windows 7 MBR's!
The new version has some new, cool features, like creating DOS boot sectors, changing partition types, etc!
Read more
=============================
Auch wenn das Tool bcdedit auf den zweiten Blick weniger sperrig zu bedienen ist, als es auf den ersten scheint,
kann es doch nicht alle Aufgaben abdecken, die nötig sind, ein nicht
mehr startendes System wieder flottzukriegen. Ist der Boot-Speicher etwa
korrupt, keine Partition aktiv oder kein gültiger Master Boot Record
(MBR) vorhanden, behebt es solche Fehler nicht. Es ist eben nur für die
Konfiguration der zu startenden Systeme selbst zuständig, unter der
Annahme, dass der Rest drum herum schon in Ordnung sei.
Stufen des Bootens: MBR, Bootmanager, Betriebssystem
Schuld
ist die althergebrachte Technik des Bootens auf BIOS-basierten
Rechnern, an der auch moderne Betriebssysteme nichts ändern können;
die sind ja zu diesem Zeitpunkt noch nicht in Funktion. Der PC liest
nach dem Einschalten zunächst die ersten 512 Byte der ersten Festplatte
ein und kennt danach die darauf vorhandenen Partitionen sowie die
Sektor-Adresse eines Bootloaders, zu dem er springt und dessen Code er
abarbeitet.Unter Windows seit NT führt dies dann dazu, dass der Bootmanager aufgerufen wird. Es handelt sich bei aktuellen Windows-Versionen um das Programm
bootmgr an einer physisch festen Position auf der aktiven Partition, die in der Regel versteckt ist. Es liest den Boot-Speicher \Boot\BCD auf dieser Partition aus und präsentiert die daraus resultierende Auswahl an startbaren Betriebssystemen als Boot-Menü.Gibt es nichts auszuwählen, etwa weil sich nur ein OS auf dem Rechner befindet und der Benutzer nicht ‹F8› gedrückt hat, sieht man von diesem Vorgang nichts. Vor Windows Vista/Windows Server 2008 hieß das Programm
ntldr, wertete die Textdatei boot.ini aus und baute daraus das Boot-Menü.
Wenn man so will, handelt es sich dabei jeweils bereits um ein rudimentäres Betriebssystem: Immerhin kann es Informationen anzeigen und Eingaben entgegennehmen sowie diese verarbeiten. Das mehrstufige Booten birgt jedoch auch einige Fehlerquellen, und zwar an jeder der Stufen:
- der MBR kann ungültig sein, das heißt er enthält nicht die Adresse eines gültigen Bootloaders,
- auf der aktiven Partition findet sich kein Programm
bootmgr, etwa weil eine alte Windows-Installation wiederntldrdarüber geschrieben hat, bootmgrkann den Boot-Speicher\Boot\BCDnicht lesen, weil dieser beschädigt wurde,- es ist keine Partition aktiv, was für Windows ein Problem darstellt. Andere Betriebssysteme wie Linux werten das „Aktiv“-Attribut nicht aus und benötigen es nicht.
Reparatur mit diskpart und bootrec
Unter WinRE macht die automatische Systemstartreparatur im Allgemeinen einen wirklich guten Job, um diese 4 Probleme zu erkennen und zu beheben. Falls sie es doch einmal nicht tut, bleiben auf der WinRE-Kommandozeile 2 Tools, um das Problem manuell anzugehen:diskpart und bootrec.
- Ist der MBR ungültig, repariert dies der Befehl
bootrec /FixMbr, - bootmgr wird durch
bootrec /FixBootwiederhergestellt, - einen komplett neuen Boot-Speicher baut
bootrec /RebuildBcd, scannt danach nach Windows-Installationen und bietet die Möglichkeit, diese dem Boot-Speicher hinzuzufügen. Ist der Boot-Speicher an sich in Ordnung, und man will nur vermisste Einträge manuell hinzufügen, bietetbootrec /ScanOseinen nicht-schreibenden Modus, bei dem die beim Scan gefundene Systeme nur aufgeführt werden. - Dass der Fehler an einem fehlenden „Aktiv“-Attribut liegt, erkennt man daran, dass die
bootrec-Befehle der Punkte 2 und 3 den Fehler „Element not found“ ausgeben. In diesem Falle ruft mandiskpartauf, und markiert mit der Befehlssequenzselect disk 0 select partition 1 active exit
LibreOffice
Firefox
OpenSUSE
No comments:
Post a Comment