C: drive inaccessible
Stephan Piel
My computer (which runs Win95) is failing to boot on its own,
it just freezes up. So I booted to a floppy disk and got
the A: prompt, but when I tried to access the C: drive
I got a message saying it is an invalid drive. I then
booted the computer using the Norton Anti-Virus emergency
disks. Norton found a virus and I got the following
message:
Master boot record of drive 0 is
infected with the Bloodhound.MBR virus.
When Norton tried to fix the virus it failed, giving
me a message that it couldn't access the C: drive.
I called my PC's tech support line and they told me to
use their kit which will reformat the harddrive and
reinstall Win95. However, I have some very important
data on the HD which I need to get at. Does anybody know
how I can access the C: drive so I can transfer that
data to a floppy disk?
Any replies would be greatly appreciated, thanks
in advance.
Robert Moir
Quite frankly, the tech support line for your computer is staffed by idiots.
Formatting a drive is never a good idea to cure a computer virus, its
somewhat akin to having your arm removed because you sprained your thumb.
Also, some computer viruses can suvive a format. Assuming that you told
them and us the same information there is no way they could of judged if
this approach to virus disinfection would help in your case or not.
Now as to how we can fix your problem. I'm not a NAV user so perhaps someone
who knows a little more about that product can give you specific help in
that direction, but i believe that when it reports the "bloodhound" virus it
is saying "there is something here that looks and smells like a virus to me,
but if it is a virus, then its not one i know."
Are the files on your emergency disk up to date? new viruses are released on
a regular basis, and as such, all the big A-V companies release updates to
their scanners quite often too. If your files for NAV are not up to date,
perhaps you can download updated ones for your emergeny disk and try
scanning with it again? - im not sure how you'd go about this exactly, not
being a NAV user. Perhaps one of the other members of the group could step
in here?
The other alternative, and it may well be faster, is to download an
evaluation copy of another A-V product, and follow the instructions that
come with that to make a emergency scanner disk with that product.
Try downloading one of the following products. They are all ones I've used
in the past and can vouch for them in these kind of situations. I'm sure at
least one of them will sort your problem out for you.
Dr Solomons - www.drsolomons.com
AVP - www.avp.com
F-Prot - www.complex.is
Hope this helps...
Regards
Robert Moir, Microsoft MVP
My Homepage - members.xoom.com/Robert_Moir
=@==@==@==@==@==@==@==@==@==@==@==@==@==@==@==@=
Stephan Piel wrote in message <71fkqm$7iv$1...@netnews.upenn.edu>...
Jeremy Brooks
NAV is saying that it thinks that you have a new, undetected boot sector
virus on the hard drive.
Try scanning it with a decent scanner. (Dr Solomon; F-Prot; AVP). What, if
any, virus is detected? __________
Are you using a Win95 (OSR2 FAT32 aware diskette to access drive C:)? ______
What messages (if any) are displayed on booting the machine? _______________
Are you running a DDO (like Microhouse/EZ-drive) to access the hard disk ?
______________
Did your disk say anything like "ravage & murphy is wiping data"? __________
Answers to the foregoing questing will help.
If you need your data, please do not run MS ShagDisk or NDDestroyer. Repost,
or send me a mail.
Jem
Robert Green
>
>My computer (which runs Win95) is failing to boot on its own,
>it just freezes up. So I booted to a floppy disk and got
>the A: prompt, but when I tried to access the C: drive
>I got a message saying it is an invalid drive. I then
>booted the computer using the Norton Anti-Virus emergency
>disks. Norton found a virus and I got the following
>message:
>
> Master boot record of drive 0 is
> infected with the Bloodhound.MBR virus.
Bloodhound.MBR is NAV's generic term for an unknown boot sector virus
which has been deteced by heurisitics. This report sometimes turns out
to be a false alarm, but given the coincidence with loss of access to
your HDD, you probably do have a virus here. Apparently, a poorly
designed one :-).
There is a multipartite virus which recently has been in the wild
which can give this symptom (Baphomet, aka TD, ENUNS, etc.).
>When Norton tried to fix the virus it failed, giving
>me a message that it couldn't access the C: drive.
>
>I called my PC's tech support line and they told me to
>use their kit which will reformat the harddrive and
>reinstall Win95.
Bad advice.
> However, I have some very important
>data on the HD which I need to get at. Does anybody know
>how I can access the C: drive so I can transfer that
>data to a floppy disk?
>
>Any replies would be greatly appreciated, thanks
>in advance.
There are a couple of ways to approach this. The first and easiest is
to try another scanner product or two on the chance that one of them
has this virus in its database and can remove it. (BTW, are you using
the most recent NAV definitions? If not, you should update)
Try the AVP and F-PROT DOS command line scanners. You can get them at
www.avp.com and www.complex.is.
Make a clean boot disk on an uninfected machine. Copy HIMEM.SYS to the
boot disk and create a CONFIG.SYS file containing the lines:
DEVICE=HIMEM.SYS
DOS=HIGH
For AVP, copy the files AVP*.* and *.AVC to a second disk. Boot your
computer from the clean boot disk, then from the AVP disk run the
command: AVPLITE C: /-.
For F-PROT copy the files F-PR0T.EXE, ENGLISH.TX0, and SIGN.DEF to a
second disk. The command line should be F-PROT C: /disinf.
If this approach doesn't work, reply back and I or someone will walk
you through a manual repair.
Yuri Yanovich
Actually Robert you need:
avp.key
avplite.exe
avp.ovl
avp.lng
*.avc
avp.set
Yuri.
--
=============================================
Central Command Inc. AntiViral Toolkit Pro
http://www.avp.com sa...@avp.com
Virus Protection Specialists
-> Free Evaluation Software on Web Site <-
=============================================
Claudiu
Boot-up from a clean disk where you have FDISK.EXE.
They type FDISK /M.
This will replace the MBR with clean one.
If this doesn't work reply to the message.
Axel Pettinger
>
[snip]
> For F-PROT copy the files F-PR0T.EXE, ENGLISH.TX0, and SIGN.DEF to a
> second disk. The command line should be F-PROT C: /disinf.
Hi Bob,
It's the second time that I see such an advice from a Robert within a
short time (last advice was in French). So I have to reply now ... ;)
F-Prot needs still the file "Macro.def" and will *not* work without it!
Alternatively you can copy the file "Nomacro.def" from
ftp://ftp.complex.is/pub to the floppy to prevent F-Prot to scan for
macro viruses.
Regards,
Axel Pettinger
Zvi Netiv
> My computer (which runs Win95) is failing to boot on its own,
> it just freezes up. So I booted to a floppy disk and got
> the A: prompt, but when I tried to access the C: drive
> I got a message saying it is an invalid drive. I then
> booted the computer using the Norton Anti-Virus emergency
> disks. Norton found a virus and I got the following
> message:
> Master boot record of drive 0 is
> infected with the Bloodhound.MBR virus.
> When Norton tried to fix the virus it failed, giving
> me a message that it couldn't access the C: drive.
> I called my PC's tech support line and they told me to
> use their kit which will reformat the harddrive and
> reinstall Win95. However, I have some very important
> data on the HD which I need to get at. Does anybody know
> how I can access the C: drive so I can transfer that
> data to a floppy disk?
> Any replies would be greatly appreciated, thanks
> in advance.
Regardless of whether this is a virus doing, or just some mess with the MBR,
you can try ResQdisk to both assess the problem, and to regain access to the
hard drive.
Available from the sites in my signature.
Regards, Zvi
---------------------------------------------------------------------
NetZ Computing Ltd. Israel Developer & Producer of InVircible & ResQ
Download Sofware, Support, Online Registration: http://InVircible.com
US Mirror: http://www.NetZComp.com Personal e-mail: ne...@actcom.co.il
Voice +972 3 938 6868, +972 52 494 017 (cellular) Fax +972 3 938 6869
---------------------------------------------------------------------
Robert
Pettinger <a...@stud-mailer.uni-marburgVIRUS.de> wrote
>Robert Green wrote:
>>
>[snip]
>> For F-PROT copy the files F-PR0T.EXE, ENGLISH.TX0, and SIGN.DEF to a
>> second disk. The command line should be F-PROT C: /disinf.
>
>Hi Bob,
>
>It's the second time that I see such an advice from a Robert within a
>short time (last advice was in French). So I have to reply now ... ;)
>
>F-Prot needs still the file "Macro.def" and will *not* work without it!
>Alternatively you can copy the file "Nomacro.def" from
>ftp://ftp.complex.is/pub to the floppy to prevent F-Prot to scan for
>macro viruses.
>
advice to Michel Janray - this error has now been corrected
--
Robert F-Prot is available from http://www.complex.is
Dr Solomon's is still at http://www.drsolomon.com
AVP in Europe is at http://www.avp.ch
Elsewhere http://www.avp.com or http://www.avp.tm
Robert Green
yu...@avp.com (Yuri Yanovich) writes:
[snip quote of my earlier post]
> Actually Robert you need:
>
> avp.key
> avplite.exe
> avp.ovl
> avp.lng
> *.avc
> avp.set
And the way I wrote it (avp*.* and *.avc), that's what you get,
plus avp.exe. The original poster had no problem obtaining and
running the program. Unfortunately, he had already taken advice to
use FDISK /MBR, so neither AVP nor F-PROT found anything, of course.
And he still can't access the C: partition, the partition table
is corrupt (gets an "Invalid partition table" error, which means,
literally, that an invalid active byte was found in a partition
record).
I have recommended to him that he back up track 0 with Zvi's
RESQDISK, and send it to me. If a virus is actually involved in
this, hopefully, it left a clear copy of the MBR laying around, and
we can use that to restore access to the partition.
Bob
so...@fedz.org
is reccomneded that you do is on another computer if possible install NAV if
it hasnt been already, run the live update to update your virus definitions,
once you have doen that create a resuce disk set from this (uninfected)
computer, then enusre the rescue disks are write protected,t hena ttempt to
use them on this pc,m and that hsould obliterate the virus at that point if
the virus still can not be repaired I would try to call The NAV virus hotline
(541)-9-virus-9
they'll most likely either instruct you on how to repair it or on how to
submit a virus sample
In article <71fkqm$7iv$1...@netnews.upenn.edu>,
sp...@dolphin.upenn.edu (Stephan Piel) wrote:
>
> My computer (which runs Win95) is failing to boot on its own,
> it just freezes up. So I booted to a floppy disk and got
> the A: prompt, but when I tried to access the C: drive
> I got a message saying it is an invalid drive. I then
> booted the computer using the Norton Anti-Virus emergency
> disks. Norton found a virus and I got the following
> message:
>
> Master boot record of drive 0 is
> infected with the Bloodhound.MBR virus.
>
> When Norton tried to fix the virus it failed, giving
> me a message that it couldn't access the C: drive.
>
> I called my PC's tech support line and they told me to
> use their kit which will reformat the harddrive and
> reinstall Win95. However, I have some very important
> data on the HD which I need to get at. Does anybody know
> how I can access the C: drive so I can transfer that
> data to a floppy disk?
>
> Any replies would be greatly appreciated, thanks
> in advance.
>
--
*Hey, can i help it if i can't mind my own business?*
soop/matt
so...@fedz.org
-----------== Posted via Deja News, The Discussion Network ==----------
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
de...@my-dejanews.com
sp...@dolphin.upenn.edu (Stephan Piel) wrote:
>
> My computer (which runs Win95) is failing to boot on its own,
> it just freezes up. So I booted to a floppy disk and got
> the A: prompt, but when I tried to access the C: drive
> I got a message saying it is an invalid drive. I then
> booted the computer using the Norton Anti-Virus emergency
> disks. Norton found a virus and I got the following
> message:
>
> Master boot record of drive 0 is
> infected with the Bloodhound.MBR virus.
>
> When Norton tried to fix the virus it failed, giving
> me a message that it couldn't access the C: drive.
>
> I called my PC's tech support line and they told me to
> use their kit which will reformat the harddrive and
> reinstall Win95. However, I have some very important
> data on the HD which I need to get at. Does anybody know
> how I can access the C: drive so I can transfer that
> data to a floppy disk?
>
> Any replies would be greatly appreciated, thanks
> in advance.
>
> sp...@dolphin.upenn.edu
>
>
Well,from my own experience I know that Norton Antivirus is not very good.I
use f-prot an d I've never had any problems in removing viruses.You can
download a free copy from www.complex.is My gues is that you have the stone
virus (this is the only virus that I know that screws up your hard drive).
Godd luck,and I hope this helps (I read the f-prot documentations and it said
that it can restore your hard drive)
jscrego@ran2
>... [Norton found a virus and I got the following
>message:
>
> Master boot record of drive 0 is
> infected with the Bloodhound.MBR virus.
>
>When Norton tried to fix the virus it failed, giving
>me a message that it couldn't access the C: drive.
... and that's called an antivirus!!!
Please, go to
http://www.geocities.com/SiliconValley/Haven/9955/
and download segur, a free antivirus for boot &
mbr viruses.
If you use win-95, reboot in ms-dos mode & execute
'segur.exe'. Look for your original mbr using port
access, store it in a file named 'mbr.dat' and then
restore it... all through ports.
Boot again and your pc will then be alright...
If you have not understand anything, read before
the help file (segur.txt).
Jose A. Sobrino Crego
Robert Green
>Robert Green wrote:
>>
>[snip]
>> For F-PROT copy the files F-PR0T.EXE, ENGLISH.TX0, and SIGN.DEF to a
>> second disk. The command line should be F-PROT C: /disinf.
>
>Hi Bob,
>
>It's the second time that I see such an advice from a Robert within a
>short time (last advice was in French). So I have to reply now ... ;)
Two different Roberts. The other one is Robert Hull.
>F-Prot needs still the file "Macro.def" and will *not* work without it!
>Alternatively you can copy the file "Nomacro.def" from
>ftp://ftp.complex.is/pub to the floppy to prevent F-Prot to scan for
>macro viruses.
Oops :-)
Thank you, Axel.
Bob
Robert Green
>sp...@dolphin.upenn.edu (Stephan Piel) wrote:
>
>>
>>My computer (which runs Win95) is failing to boot on its own,
>>it just freezes up. So I booted to a floppy disk and got
>>the A: prompt, but when I tried to access the C: drive
>>I got a message saying it is an invalid drive. I then
>>booted the computer using the Norton Anti-Virus emergency
>>disks. Norton found a virus and I got the following
>>message:
>>
>> Master boot record of drive 0 is
>> infected with the Bloodhound.MBR virus.
>
>Bloodhound.MBR is NAV's generic term for an unknown boot sector virus
>which has been deteced by heurisitics. This report sometimes turns out
>to be a false alarm, but given the coincidence with loss of access to
>your HDD, you probably do have a virus here. Apparently, a poorly
>designed one :-).
>
>There is a multipartite virus which recently has been in the wild
>which can give this symptom (Baphomet, aka TD, ENUNS, etc.).
Here's how this one resolved:
Stephan followed advice from someone to try FDISK /MBR, after which he
recieved an "Invalid parition table" error, since the virus had
overwritten the partition table.
At that point he made a track 0 backup with ResQdisk and sent it to
me. I found the following things of interest on his track 0:
CHS
0,0,1 MBR with corrupt part table
0,0,2 apparent clean copy of original MBR
0,0,3 virus fragment
0,0,4 virus fragment
0,0,7 apparent clean copy of MBR (possibly a relic from an earlier
infection).
Of course, the part of the virus occupying the MBR sector had been
overwritten, but from the fragments remaining and other behavior
reported by Stephan (HSFLOP.PDR deleted) this much can be said about
it:
Its a multipartite. Hooks int 21 and intercepts the EXEC function. The
infection routine hooks int 24 (critical error handler) and int 3,
then uses calls to its int 3 handler to perform the busy work of
infection. There may be a payload - the virus makes an int 16 call and
dinks around with some ports, but I didn't have time to look closely.
The virus also uses a great deal of anti-heurisitic mis-direction.
There were no text strings in the clear.
So its not Baphomet (TD.1586), which was my guess, though it does
share some behaviors and some code with Baphomet and may be a new
variant of it.
Interestingly, the two clean copies of the MBR each defined a FAT32
type "c" partition with the same geometry, except that the MBR from
0,0,7 shows a value for the partition size 32 sectors less than did
the copy at 0,0,2. Beats me, though there would be at least one
consequence if the wrong partition size were used: the active
partition's boot code would not be able to recognize that the
partition was LBA-enabled. Whether this carries over to the OS itself,
I don't know.
I can only think of one reason why a virus would change the value of
that field (if that's what happened), which would be to complicate
disinfection, since at least some scanners compare that value to the
partition size in the BPB as a sanity check.
At any rate, I recommened to Stephan a procedure to replace the MBR
that involved comparing the MBR copies' partition size with the "huge
number of total sectors" field in the partiton boot sector's BPB.
He didn't say which one he wound up using, but he did regain access to
the partition. A subsequent scan of the partition with AVP and F-PROT
did not turn up any viruses, though he may well still be infected.
If any AV wants the virus fragments (Yuri?) I'll be happy to send
them. Of course, its not a complete sample.
As a last shot, I may take a string and suggest to Stephan a file
search using IVX, since he already has the all of the InVircible files
on hand.
Bob
Tarkan Yetiser
says...
> "Robert Green" <rgr...@avana.net> wrote:
>Interestingly, the two clean copies of the MBR each defined a FAT32
>type "c" partition with the same geometry, except that the MBR from
>0,0,7 shows a value for the partition size 32 sectors less than did
>I can only think of one reason why a virus would change the value of
>that field (if that's what happened), which would be to complicate
>disinfection, since at least some scanners compare that value to the
>partition size in the BPB as a sanity check.
Actually, the sector count can also be calculated based on the start and
end values on drives less than 8gig in size... But the obvious use for
reducing the sector count is to put the virus at the end of the partition
and mark that area off limits. Bye virus does that, but it's careful
enough to update the BPB to match.
--
Regards
Tarkan Yetiser
VDSARG
tyetiser AT vdsarg.com
http://www.vdsarg.com
Robert Green
Yes. I hadn't thought of that. The virus in this case kept to track 0,
though.
Thanks.
Bob
Zvi Netiv
Both Tequila and Flip (multipartites) change the number of sectors in the
MBR (Flip also changes the same in the BPB to match) and hide the relocated
MBR and virus code at the end of the partition.
The two are quite old multipartite.
Chris Stubbs
>Its a multipartite. Hooks int 21 and intercepts the EXEC function. The
>infection routine hooks int 24 (critical error handler) and int 3,
>then uses calls to its int 3 handler to perform the busy work of
>infection. There may be a payload - the virus makes an int 16 call and
>dinks around with some ports, but I didn't have time to look closely.
>The virus also uses a great deal of anti-heurisitic mis-direction.
>There were no text strings in the clear.
It is a new variant of Baphometh. It was posted under:
alt.2600.crackz
Crackz - Forte Agent 1.5
FAG-K.ZIP
alt.cracks,alt.2600.crackz
Crackz - WinZip 7.0 KeyGen
WINZIP.ZIP
alt.cracks,alt.2600.crackz
Anawave GRAVITY v2.x KeyGen
ME_GRAV2.ZIP
alt.2600.crackz,alt.cracks,alt.sex
CuteFTP v2.0 Keygen
CUTEFTP.ZIP
It contains the text:
Baphometh
v2
~CAD
>He didn't say which one he wound up using, but he did regain access to
>the partition. A subsequent scan of the partition with AVP and F-PROT
>did not turn up any viruses, though he may well still be infected.
It's multipartite so there's highly likely infected files. AVP doesn't
find it but F-Prot 3.03a finds it with heuristics. There's also an
extra driver available from Dr. Solomon's.
--
Chris Stubbs (stu...@sk.symxpatico.ca) Remove the x.
ICQ#:17314904
http://www.geocities.com/SiliconValley/Heights/3652
Robert Green
Hey, talk about service with a smile! :-) Thanks a lot, Chris, you're
on top of things, as usual.
I'll pass this along to the original poster.
BTW, in my earlier post I was confusing the total number of sectors in
the partition with the relative/hidden sectors. So, if anyone wondered
what the devil I was trying to say, just forget about it ;-).
Bob