[<<]Message[>>] [<<]Author[>>] [<<]Subject[>>] [<<]Thread[>>]
Number : 284 Date : 2001-06-26 Author : Dan Anderson Subject : Re: XXCOPY Slays MBR Virus! Size(KB) : 3
Kan, my ignorance shows and maybe some others are in the same boat. I didn't understand items 1 and 2. "1. First, I mirrored my C onto my D using the Western Dig floppy. 2. Then, using the same floppy, I wrote zeros to the C drive. This overwrote the MBR - and everything else!" The questions that came to mind are: a) what Western Digital floppy allows a person to create a mirror image ? I know about xxcopy's clone function, and I know about GHOST, DriveImage, and Partition Magic. Is it a similar type of software? b) what is this business about writing zeros over everything, including the MBR? How does the MBR then get restored? Also a word of caution ... my understanding is that the default approach that I've often seen regarding using "fdisk /mbr" will create havoc if someone is using Partition Magic. I hope someone will correct me if I'm wrong on this. I think Partition Magic stores information in a manner that is not compatible with "fdisk /mbr" and the 'backup' to the MBR that fdisk restores does not reflect partition changes under Partition Magic. ...Dan ============================ ----- Original Message ----- From: Kan Yabumoto To: Sent: Monday, June 25, 2001 7:52 PM Subject: [xxcopy] XXCOPY Slays MBR Virus! > > It has been a slow day here in this group. To fill the emptiness we all > feel, let me share an Email we just received. > > ================================================================ > > Here's a report from an XXCOPY user, called Paul. > > I thought you might appreciate hearing of yet another use for xxcopy. A > year ago my system - and then the computer lab were I worked - caught the > NYB virus. It took a lot of work, but eventually it was all gone. Or so I > thought! Apparently, I failed to clean one boot floppy. And, of course, I > used it recently. > > McAfee Virus Scan apparently couldn't remove it from my C drive's MBR > entirely. But it removed enough that it was no longer active. It could no > longer infect other drives. However, I wanted it OUT of there. Even > Norton advised using the fdisk /mbr command, as many other sites did > likewise. It didn't work. (My later research on Microsoft explains why: > it won't overwrite an MBR!) I knew that the MBR stored on my Western > Digital installation disk as backup was infected, so I couldn't use > that. As I suspected, a simple mirroring operation onto my D drive merely > copied the MBR with its viral body parts. > > What to do? A ha! The process was long, due to the quantity of data > moving back and forth, but not difficult. (I had about 9-10 gigs stashed > away..) > > 1. First, I mirrored my C onto my D using the Western Dig floppy. > 2. Then, using the same floppy, I wrote zeros to the C drive. > This overwrote the MBR - and everything else! > 3. Next, I fdisked and formatted the C drive. I changed my > D drive to "Master" so that my system would boot to it > (it had been "Active" at one time, so I didn't need to make > it so.) I then went into Windows Safe mode so that the > minimum number of drivers would be used, potentially making > them unavailable for copying. > 4. Now, using the /clone switch on xxcopy from the Safe Mode > Windows MS-DOS box, I copied everything back to the C (now D) > drive. At 54MB/sec, it took a lot of time, but, more > importantly, it worked! > 5. I now switched the master and slave roles again, made > the C drive active, and booted into Windows. A check with > McAfee indicated no virus! > 6. Then, to finish the job right, the D drive was "zeroed" > and mirrored once again to have a perfect backup. > > I couldn't have done it without you. Many, many thanks! > > Paul > > ================================================================= > > > Cheers, > > Kan Yabumoto > > > > > Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ > >
This message if part of XXCOPY's message Archive. The archive contains all the messages posted at Yahoo!Groups: XXCOPY.