PowerQuest Drive Image finds virus

Hi,

I'm attempting a backup using PowerQuest Drive Image 2002.

When it goes to back up my system onto a free drive, it seems to flag that there's a boot virus in my PC.

I have Norton 2003 fully updated and it's scan, along with HouseCall's says no problem.

Is this just a knee-jerk reaction by ChipAway within Drive Image as to something it thinks is a boot virus?

A full scan by Norton would find it, would it not? If not, how do I be sure?

Thanx in advance

Randy

 

Unless you boot from DOS, Norton and Housecall cannot scan files in use, and I seriously doubt that they scan the mbr of either XP or 98.
Why not just repair the MBR from a good boot disk, turn off the stupid Chipaway ****, and retry Drive Image?

 

MBR

"Why not just repair the MBR from a good boot disk "

Okay, reboot,

Nice and slow........how? No idea.

 

Boot to the XP CD, and select from the first prompt, Repair using the repair console.
At the prompt, type: fixmbr
Again at the prompt, type: fixboot
Restart.

This works, but DO NOT run "fixboot" if you are multi-booting, as it will overwrite the boot.ini and you'll "lose" your other OS.

Actually fixboot is redundant in your case, so just run "fixmbr ".

 

I Give Up

Okay, I cannot get the XP cd to boot.

I tried boot sequences in BIOS, name it.

Now what?

Sorry for the hassle, but.....???????

 

The only way to get a virus/trojan out of the MBR is to do what I said, or fdisk the drive.
If you're prepared to lose everything on the drive, then you can fdisk it using any startup disk, remove and recreate your partition(s), and reload windows.
Have you tried setting BIOS boot sequence to CD-ROM first, and NO Other devices?
Usually CD-ROM, HDD-0, Floppy works for me.
You should get prompted to boot from CD, and hit "any key ".
You've got the CD in the drive beforehand? (I know that might seem silly).

 

No, I never removed the HD as a boot option.

Let me just try that real soon here, reboot.

BRB

(yep, disc was in) No problem for asking, buddy!

 

Nope!

No, deal, reboot.

When I remove the HD as a boot option (CD ROM first, floppy second), all I get is a "Disc Boot Failure" message. "Invalid system disc" (no floppies stuck in the A drive either )

So what gives? Could this whole boot virus thing be a big nothing? The system runs like a scalded dog. Always has, still does.

Maybe leave sleeping dogs lie or what? There's something about chasing a my shadow that makes me feel like I'll never catch it.

You're the pro, man! You tell me.

Humbly and thankfully,
Randy

 

I'm far from Pro, but anyhow...
If you can't get your system to boot from CD-ROM, I can't really do much more, unless...
Two other things come to mind.
1.) Your CD isn't bootable (pirated or "upgrade" disk?)
2.) The trojan acts like the Chernobyl (Win95_CIH), and actually changes the BIOS.

I guess if it works, then all should be well.

Last option: Use the Clear CMOS tabs on the board (short them for 5 seconds with a screwdriver), then go back into BIOS and set it all back up again, and see if it will boot from CD after that.

Stupid thought: Have you disabled the BIOS Anti-virus thingy?

Personally, I have never seen PQ's Drive Image give that error, and it's been a workhorse in our shop for years.

Another stupid thought, have you uninstalled DI, and reinstalled it?

 

reboot,

Thanks for all the possibilities.

Unfortunately, I have just been called out of town for a bit here. Don't know when I'll get back here. A couple of days or so I imagine. Shall we keep reading about my life? NO!

Cutting to the chase...........I WILL be back at this thread ASAP.

Thanx again

.....oh, and very much a pro in my eyes, buddy!

 

Don't know about housecall but Norton should catch it. Any time I make a change to the mbr, the next time I run Norton, whether a full scan or simply scanning a single file, Norton warns me of a change to the mbr and offers to restore the previous one. I would think that if your boot record has changed your's should do the same thing unless the virus does something to Norton to cause it to not see the change (don't know if this is possible or not). If you made the Norton rescue disks you should be able to boot from them and use them to restore the mbr. There's an option for it in the menu. I would give it a try. Can't hurt.

 

reboot--for us new guys--what are you referring to when you say-- MBR?
Paul

 

MBR - Master Boot Record

I wish I had some dynamite link for you right now, paul43, but I don't. Perhaps someone else does??? Actually I could use a bit of clarification about this as well. Maybe I'll just do a simple Google search on it.

Zander,
I agree with you completely. Norton has often seen changes to my MBR and flagged it. I'm remembering my many reloads of 98SE and how Norton would catch it and ask me if this was expected or not. As for the rescue discs, I didn't create them so I'm out of luck. Great idea, though! Guess what I'll be creating the next time I set up from ground zero?

I'm not going to lose any sleep over this issue anymore. I have enough HD space to take Drive Image for a spin and create an image with it. I'll do that just to familiarize myself with the program.

After the next full format, I will use it a great deal. That won't be for quite some time. For now, I kind of think Drive Image is seeing a ghost or whatever. The system is running well and no particular bug-a-boos with it. I'll leaving sleeping dogs lie.

Thank you all so very much for all your concerns and your help.

Randy

 

Change Of Plan

WOW!

I just took a ride on the wild side! Whew!

Okay, so I search Google, high & low, all about repairing master boot records in XP. Site after site, info upon info......a lot of stuff there that looked easy but didn't work.

Since I couldn't boot from CD no matter what, I had to access the Repair Console somehow. I tried various suggested command lines, creating a make-shift boot disc, you name it! The thing is that the more I tried to do things that should work, the more I realized that something is not well with my system. Don't ask me how to explain it all.......one just kind of knows something is wrong.

Okay, believe it or not, the simplest thing worked in the end. I took out my set of 6 XP Setup discs and booted the PC with them. It would not boot from any other floppy no matter how well prepared it was. For instance, I could not find certain files some sites required that you have to copy to a disc to boot with. It got spooky. Kind of like as if the A drive was acting like it would never be able to read anything again, even though I have been using it like crazy all this time. Strange, missing files......inability to boot from supposedly bootable discs...that kind of thing.

Okay, moving on, I booted via the 6 Setup discs. I got to where you choose "R" for Recovery Console. It asks for my Administrator's password to windows and it's not right! So I guess and go with no password (blank) and I'm in! I'm then asked to make a numbered choice but it doesn't tell you what numbers are what choices. I take a chance and choose #1. Bang....I'm in Windows. I ran FIXMBR from there.

Guess what? I did have a corrupt MBR! It tells me this right off the hop. The scariest part was how it warns you that you best leave well enough alone because a "FIXMBR" may leave you with no access to your partitions. It highly recommended to leave it alone. I think, what the hay? Let's go for it. I've been in thicker places before. So what???

YEP! Made myself a new MBR and, like reboot said, ran "FIXBOOT" while I was at it. Where's the harm? Somehow, I get out of there by typing "exit" or whatever and I'm rebooting. Fingers crossed and something else painfully puckering, it fires right up and away it goes!

Yippee!

Sometimes you just have to go way out there and take some chances I guess! Mind you, being as crazy as I am helps a lot.

Now I'll see what Drive Image says when I run it tomorrow or something like that. I'll post back for sure as to how it all ends so you can all know.

Thanks again,

Please post back with your thoughts or conclusions. I'm lonely here and just need someone to write to me.

 

Scary

Scary.....

I'm just now running a full-blown Norton Scan of my system and it doesn't find a change to my boot record! It always used to find it with 98. Trust me, my Norton 2003 is updated to the hilt. Strange stuff!

After running Drive Image tomorrow I'll be more at ease if no corrupt MBR is found by it. I'm just worried about the possibility of something rewriting the MBR back to its corrupted self upon reboot.

Is that a possibility? Like how some virii keep on coming at you unless they're killed off in the registry after the fix procedures are done in Windows?

Time will tell I guess. Is it a weird bug or is Norton 2003 not so fussy about MBRs in XP? It's either one or the other, I would imagine.

Food for thought.

Anyone??????

P.S. Norton's scan reported scanning Master Boot Records for the value of 2, with 0 infected. It reports scanning Boot Records for the value of 6, with 0 infected. Same old, same old.

??????????????????????????????????

 

Tired of reading my posts yet?

Sorry, but......

I ran Drive Image. (couldn't wait) The same old message shows up. Something about Trend ChipAway finding a virus in the MBR. Of course, the screen says that this little ChipAway pain in the neck doesn't support this OS. I know, reboot. You told me to do away with this thing but there seems to be no way to do that. Anyhow, I just continued on, disobeying its warnings that the virus would be transferred to the image file and away it went, creating an image.

Just so you all would know what happened. I know what I shall do next. I believe reboot asked if I did an R&R on Drive Image. I shall do that next.

Stay tuned........even more posting yet to be done.

 

One last time.......


I did an R & R with Drive Image. Ran it again and same virus message. Then, I go through the 6 Setup discs for XP again to get to FIXMBR. Okay, so what it actually tells me is that my MBR is either "non-standard" or "invalid ". That's what XP flags the MBR as. Sorry for not posting that earlier. I ran FIXMBR again and here I am. No problem.

So what's going on here? I'm obviously chasing my own tail or something with this whole ordeal, aren't I? From what I posted as to what Norton sees the Master Boot Records as and what it sees the Boot Records as, does anyone understand this enough to let us all here know what's happening?

On the more humorous side, though.....if you think I'm long-winded while posting, you should be thankful you don't actually have to speak with me. You can't get a word in edge-wise.

Just ask Daizy. She can tell you. Getting a word in edge-wise with me is like winning a verbal debate with her. Yes.....theoretically, it's possible, but that's as far as it goes....theory. Neither one has ever actually been done by anyone to the best of my knowledge. God bless her for being so cool!

Your turns.........

Randy

 

You've got to disable the Trend Chip thing. It IS in BIOS setup.
If it's enabled, you can't change the MBR without the dire warnings, and then when you do get the MBR recovered (the long tedious way), it's going to warn you forever that something has changed it, and it's going to change it back.
Get it disabled, and I think DI will run without problem.
DI has to access the MBR to accurately copy an entire disk. Doing a clone without the MBR is useless, so until Trend's **** is disabled in BIOS, you're "chasing your tail ", as you put it.
I have a feeling that the version of DI that you have, doesn't know that the XP MBR is valid, which could also be part of the problem. DI is trying to write a "valid" MBR, probably using Win2k's version of the MBR, which is not quite the same as XP.

 

reboot,

I cannot believe how I somehow had Trend active in BIOS!

I disabled it and took DI for another spin and away it went. I stopped it after about 5%.

So should I do the FIXMBR thing again, first, before I create the image or not? That's all I need to know now.

Note*Just for me:

- Is there a MS Plus! HangYourself version out yet?
- Does it come with the rope?
- Does the rope have to be "activated" before you can use it?
- Any patches out for potential weak spots in the rope?



Randy

 

Yes, repair the MBR, then image the drive.

I told you that it was Trend in BIOS causing the problems