22 replies to this topic

[memoarfaa]

hi reboot community

my USB flash drive boot to the first hard disk with this command

title Boot from Hard Disk
map (hd1) (hd0)
map (hd0) (hd1)
map --hook
rootnoverify (hd0)
chainloader +1

the problem is

if my hard disk contain mbr virus 

this destroy the mbr of the usb drive 

and its hang on Try (hd0,0) 

so i mast install grub4dos mbr again to usb flash drive 

and didn,t boot to hard disk until boot to any antivirus

rescue CD and remove master boot record virus

this is USBInfo with start sector 0 that destroyed with the hard disk infection with master boot record virus 

http://www.mediafire...7g4/USBInfo.Txt

 

how i can solve this proplem

 

 

 

[Wonko the Sane]

It is not at all clear to me the actual reason of attempting using that menu entry.

 

I mean, if you know that your internal hard disk MBR contains a virus (presumably because you tried starting the PC from the internal hard disk and failed) WHY (the heck) do you use a USB stick to chainload it (and thus having it execute)?

 

If you have found that there is a virus in the MBR, you need to NOT execute it.

 

grub4dos will provide you 2 (two) different ways to bypass the MBR code, assuming that on the internal hard disk there is a Vista/7/8 install in the first (active) partition on disk and that you want to boot it from USB (once you will have restored on it the "original" MBR, which - seemingly from your USBinfo.txt is backed up on 2nd sector)

#1 boot from the USB stick, press "c" to get to the command prompt, in it type:

map (hd1) (hd0)
map (hd0) (hd1)
map --hook
root (hd0,0) 
chainloader +1
boot

the above will bypass the MBR code and boot from the PBR/VBR code

 

#2 boot from the USB stick, press "c" to get to the command prompt, in it type:

map (hd1) (hd0) 
map (hd0) (hd1) 
map --hook 
root (hd0,0)  
chainloader /bootmgr
boot

the above will bypass the MBR code and the PBR/VBR code and boot by directly chainloading the Vista/7 bootmanager.

 

BUT what you really want to do is to NOT boot at all from the internal hard disk, but rather boot from *something* else capable of removing the MBR virus (and/or the effects of it).

 

If you want to remove the MBR virus, you can - from the booted grub4dos - dd to the first sector of the hard disk's first 440 bytes *any* MBR code or just a set of 00's.

 

Wonko

[steve6375]

Can you boot to the grub4dos menu?

[memoarfaa]

Can you boot to the grub4dos menu?

 

no i Can't  boot to the grub4dos menu

its hang on Try (hd0,0) 

[steve6375]

If hanging on  

 

try (hd0,0)

 

I don't see how that can be caused by a virus in the system as long as you switch off the PC - insert USB drive - switch on PC - boot from USB.

[memoarfaa]

no i cant boot from usb to this PC that contain the infictation hard disk or any other PC  until install grub4dos mbr to usb drive again

 

the usb mbr is destroyed  

 

when install mbr again to usb its work very well in any other PC and the PC that contain the infictation hard disk

 

but without the command in the first of this topic 

 

when i try to boot from hard disk with this command the mbr of usb is destroyed

Edited by memoarfaa, 22 August 2014 - 03:27 PM.

[steve6375]

Maybe I misunderstand

 

1. Make USB drive with grub4dos and menu.lst file

2. insert USB drive in infected system

3. Switch on infected system

4. boot from USB drive to show grub4dos menu

 

do you see a grub4dos menu???

[Wonko the Sane]

I am still failing to see why you cannot (on another PC) fix the MBR on the USB drive.

The partition data is seemingly OK, you just need to run bootlace (or bootice, or whatever program that can install the grldr.mbr to MBR+hidden sectors).

 

Wonko 

[memoarfaa]

hi steve 

 

i will explain more of that

i install grub4dos to usb

this is my menu.lst   

timeout 30
gfxmenu /Memo/Memo.GFX

title [1:] Boot from 1st Hard Disk\nBoot from MBR of first hard disk and remove the USB drive
map (hd0) (hd1)
map (hd1) (hd0)
map --hook
chainloader (hd0)+1
rootnoverify (hd0)

title [2:] setup XP original-SP2\nBoot once from USB; with virtual CD+Floppy XP_SP3.IMA
find --set-root --ignore-floppies --ignore-cd /images/XP_SP3.IMA
map --mem /images/XP_SP3.IMA (fd0)
map --mem /images/XP_SP3.IMA (fd1)
map --mem (md)0x800+4 (99)
map /images/XP2_RAM.ISO (222) || map --mem /images/XP2_RAM.ISO (222)
map (hd0) (hd1) 
map (hd1) (hd0)
checkrange 0x80 read 0x8280 && geometry (hd1) && map (hd0) (hd1)
checkrange 0x80 read 0x8280 && geometry (hd1) && map (hd1) (hd0)
map --hook
cat --locate=###### --number=1 (fd0)/TXTSETUP.OEM > nul || call :error /images/XP_SP3.IMA file error..
set offset=%?%
write --offset=%offset% (fd0)/TXTSETUP.OEM value=Parameters,StartOptions,REG_SZ,"cdrom,vmem=find:/images/XP2_RAM.ISO;floppy,vmem=find:/images/XP_SP3.IMA;"\r\n;
cat --skip=%offset% --locate=/ --replace=\\ (fd0)/TXTSETUP.OEM
cat --locate=###### --number=1 (fd1)/TXTSETUP.OEM > nul || call :error /images/XP_SP3.IMA file error..
set offset=%?%
write --offset=%offset% (fd1)/TXTSETUP.OEM value=Parameters,StartOptions,REG_SZ,"cdrom,vmem=find:/images/XP2_RAM.ISO;floppy,vmem=find:/images/XP_SP3.IMA;"\r\n;
cat --skip=%offset% --locate=/ --replace=\\ (fd1)/TXTSETUP.OEM
write --offset=0 (fd0)/setup/ISOimage.ini \\images\\XP2_RAM.ISO\n;\n;\n;
write --offset=0 (fd1)/setup/ISOimage.ini \\images\\XP2_RAM.ISO\n;\n;\n;
write (99) [FiraDisk]\nStartOptions=cdrom,vmem=find:/images/XP2_RAM.ISO;floppy,vmem=find:/images/XP_SP3.IMA;\n\0
root (222)
chainloader (222)/I386/SETUPLDR.BIN

title [4:] INSTALL Windows 7 32-bit imdisk\nThis will install any edition of Windows 32-bit to your hard disk
debug off
set MYISO=Win7.iso
dd if=()/firadisk/auWin8.xml of=()/AutoUnattend.xml
dd if=()/firadisk/spaces.txt of=()/firadisk/ISONAME.CMD
write ()/firadisk/ISONAME.CMD SET MYISO=\\iso\\%MYISO%\r\n
map --mem (md)0x800+4 (99)
map /ISO/%MYISO% (0xff)
map (hd0) (hd1)
map (hd1) (hd0)
map --hook
write (99) [FiraDisk]\nStartOptions=cdrom,vmem=find:/ISO/%MYISO%;\n\0
chainloader (0xff)/BOOTMGR || chainloader (0xff)

title [5:] INSTALL Windows 8 32-bit\nThis will install Windows 8 32-bit to your hard disk
debug off
set MYISO=Win8.iso
dd if=()/firadisk/auWin8.xml of=()/AutoUnattend.xml
dd if=()/firadisk/spaces.txt of=()/firadisk/ISONAME.CMD
write ()/firadisk/ISONAME.CMD SET MYISO=\\iso\\%MYISO%\r\n
map --mem (md)0x800+4 (99)
map /ISO/%MYISO% (0xff)
map (hd0) (hd1)
map (hd1) (hd0)
map --hook
write (99) [FiraDisk]\nStartOptions=cdrom,vmem=find:/ISO/%MYISO%;\n\0
chainloader (0xff)/BOOTMGR || chainloader (0xff)

title [6:] Hiren's BootCD ISO\nThis will load hirens boot cd
map --unmap=0:0xff
map --unhook
root (hd0,0)
map /ISO/hirens.iso (0xff) || map --mem  /ISO/hirens.iso (0xff)
map --hook
root (0xff)
configfile /HBCD/menu.lst || chainloader (0xff)
map --unmap=0:0xff

title [8:] reboot\nThis will restar your comuter
reboot 

title [9:] shutdown\nThis will turn off your comuter
halt

when i want install any of window version the usb work very well in any PC 

 

but if the PC contain an infection hard disk 

the first part of windows boot normally and i format the the windows

partition and copy files of this part of windows work normally 

 

and when i want to go to the second part of windows installation (GUI mode)

 

i use the first command  in my menu.lst (title [1:] Boot from 1st Hard Disk)

 

after this if the hard disk contain mbr virus this destroy the usb grub4dos mbr on the usb flash drive 

 

and the flash drive didn't boot to any PC until install grub4dos mbr  to usb again

 and its work normally but without  boot from this command in menu.lst (title [1:] Boot from 1st Hard Disk) in the PC that have infection hard disk

if this happen the usb mbr destroy again

[steve6375]

Why not destroy the MBR of the hard disk first before you run the XP install using dd in grub4dos ??

 

You could use a default MBR with no partition table and then partition it in XP.

 

dd if=()/images/mbr.bin of=(hd1)+1

 

or see here for how to preserve ptn table

[Wonko the Sane]

Why not destroy the MBR of the hard disk first before you run the XP install using dd in grub4dos ??

 

You could use a default MBR with no partition table and then partition it in XP.

 

dd if=()/images/mbr.bin of=(hd1)+1

 

or see here for how to preserve ptn table

Or have a 440 bytes in size "mbr.bin" or use 

dd if=()/images/mbr.bin of=(hd1)+1 bs=1 count=440

Still, if you AVOID booting using the MBR code, but go directly to the (just installed) bootsector

title [1:] Boot from 1st Partition on First Hard Disk\nBoot from PBR of first partition on first hard disk and remove the USB drive
map (hd1) (hd0)
map (hd0) (hd1)
map --hook
root (hd0,0)
chainloader +1

you should be fine, and once in a booted Windows you may run (say) MBRFIX or the like.

 

Wonko

[sixcentgeorge]

there are a lot of solutions for killing the mbr virus : first one use a pc that has a bios or an add-in scsi card with a bios that can low-level format your drive ...

second one : use  the tool from your drive manufacturer that can do smart checking and low level format or some others like this rescue kit free:

http://www.paragon-s...m/home/rk-free/

third solution : use a second pc and check drive with an antivirus or low-level format using hddguru tool :

http://hddguru.com/s...el-Format-Tool/

it can do that on usb too , simply use wipe instead of full format

[Wonko the Sane]

there are a lot of solutions for killing the mbr virus : first one use a pc that has a bios or an add-in scsi card with a bios that can low-level format your drive ...
second one : use  the tool from your drive manufacturer that can do smart checking and low level format or some others like this rescue kit free:
http://www.paragon-s...m/home/rk-free/
third solution : use a second pc and check drive with an antivirus or low-level format using hddguru tool :
http://hddguru.com/s...el-Format-Tool/
it can do that on usb too , simply use wipe instead of full format

JFYI, NO disk drive manufactured in the last (say) 15 years or more can be low-level formatted.

In any case, you don't normally use cannons to shoot at flies.

A MBR virus is in the MBR.

All is needed is to remove it by overwriting it with valid MBR code.

We are talking of 440 bytes, wiping a disk (which is what the so-called low-level tools will do) will take HOURS (and it is a perfect way to senselessly stress a hard disk).


Wonko

[sixcentgeorge]

i just did a little searh on google with hitachi hd tool , as result i have :

https://www2.hgst.co...rt/download.htm

 

you can read under DFT tool  :

Restores Drive Fitness

• Erase-boot-sector utility (Use option: Erase Boot Sector).
  - Note: this utility overwrites customer data to allow repair of bad sectors.
• Low-level format utility (Use option: Erase Disk).
  - Note: this utility overwrites customer data to allow repair of bad sectors.  

  

by the way low level format is not that bad if hard drive is in good shape......

 

 

here is a link having all manufacturers tools :

http://www.z-a-recov...ref-vendors.htm

[Wonko the Sane]

by the way low level format is not that bad if hard drive is in good shape......

Wiping (that is NOT "low-level format") a disk will have it writing 00's for HOURS, even if using the fastest available method (which is the ATA internal commands).
This tends to increase noticeably the temperature of a disk drive.
On a desktop this can usually be mitigated by opening the case and adding if needed an additional fan, on a laptop this is by far more difficult and if there is something that is connected with drive failures it is overheating.

It is like having your car engine accelerated to the max for a few hours, it could be a good way to test it, but the engine will sustain some wear (without bringing you any far ).

Of course if a wipe is needed, it is needed, but doing one without any real need in order to wipe a single sector (or actually part of it) makes no sense whatsoever.



Wonko

[sixcentgeorge]

wonko , i know what you mean , i leave near the sea in france and temps are getting high sometimes , so now i use watercooling ;'] with big radiators and lots of water in the loop .

it is better to do low level format when the day starts and computer was off all night .

 

hard-drive are not alone when it comes to very very high temp....gpu are some killers too ;']

the nvidia titan [780] was the first to have a bios where the clocking is "obeying" the temp of the card .

all cards are made like that : if temp is high then gpu slowdown his gpu and ram ...hd should do the same and slow the round per seconde when temp is too high ...

[Wonko the Sane]

.

it is better to do low level format when the day starts and computer was off all night .

.

... and even better doing it on the 29th of February.

 

Wonko

[sixcentgeorge]

once every 4 years ....not that wise : i prefer right after buying a new or old hd , some motherf..ckers sometimes drop some virus on the new hard-drive in factory , while second hand can be sold for this reason : a virus .....

low level format makes you sure the drive is ok and kill any virus , known or not...

by the way , it is also good for datas you will write , like a defrag that rewrites some files , the magnetism is set again at top for them

Edited by sixcentgeorge, 23 August 2014 - 10:16 AM.

[Wonko the Sane]

some motherf..ckers sometimes drop some virus on the new hard-drive in factory , while second hand can be sold for this reason : a virus .....

Yep, but later you will have to take some precautions:
http://www.msfn.org/...rivacy-profile/

by the way , it is also good for datas you will write , like a defrag that rewrites some files , the magnetism is set again at top for them

Yeah, sure, setting magnetism at the the top is a very needed step, like putting pixie dust on your wings before flying .


Wonko

[memoarfaa]

 

Still, if you AVOID booting using the MBR code, but go directly to the (just installed) bootsector

title [1:] Boot from 1st Partition on First Hard Disk\nBoot from PBR of first partition on first hard disk and remove the USB drive
map (hd1) (hd0)
map (hd0) (hd1)
map --hook
root (hd0,0)
chainloader +1

you should be fine, and once in a booted Windows you may run (say) MBRFIX or the like.

 

Wonko

 

 

very thanks Wonko

 

this command solved the problem but i want  to know why 

the mbr of the internal hard disk destroy my usb mbr 

i want to know what's happen 

grub4dos merge the mbr of the infliction hard disk  with the mbr of the usb for example 

so mbr of usb destroyed????????

[memoarfaa]

there are a lot of solutions for killing the mbr virus : first one use a pc that has a bios or an add-in scsi card with a bios that can low-level format your drive ...

second one : use  the tool from your drive manufacturer that can do smart checking and low level format or some others like this rescue kit free:

http://www.paragon-s...m/home/rk-free/

third solution : use a second pc and check drive with an antivirus or low-level format using hddguru tool :

http://hddguru.com/s...el-Format-Tool/

it can do that on usb too , simply use wipe instead of full format

 

hi sixcentgeorge 

the problem not remove the mbr virus 

from the internal hard disk  but

destroy mbr of my usb flash drive 

i can easily remove  the mbr virus

from the internal hard disk without loss of my personal data 

by install grub4dos mbr to my usb flash

again and boot to kaspersky rescue disk 10 ISO

and only mark on scan disk boot sector  and hidden start up Object 

 

but in some places when i haven't any grub mbr installer 

i stopped my work until get the grub installer 

so that the command that wonko support me solved the problem

without lost personal data  

Edited by memoarfaa, 23 August 2014 - 11:30 AM.

[sixcentgeorge]

i have not a real good view of what you have working and what is having virus .

you seem to have mbr virus on the hard -drive and on the usb stick

 

but you have an other stick that boot and that you can "edit"

so if i were you i would use the manufacturer tool to remove the virus on the mbr of hd or use the latest free resue disk from paragon to create a bootable usb stick or iso/cdrom and repair may be usb and hd

then i would install windows and use the hddguru tool to remove the virus on the usb stick .

 

with usb stick you must not format them using a format that was created after they were build .

because it can be unable to "understand" it and will no longer work .

usb stick are also sometimes buggy when it comes to make them system , especially for non-M$ os

they are made for the market where windows is DOMINATING ;']

 

 

 

wonko put an helmet before reading :

 

 

 

 

From Wikipedia, the free encyclopedia

A hard disk drive (HDD)^[b] is a data storage device used for storing and retrieving digital information using rapidly rotating disks (platters) coated with magnetic material.

 

 

there are 65 times the use of magn on this page : http://en.wikipedia....Hard_disk_drive

Edited by sixcentgeorge, 23 August 2014 - 12:05 PM.

[Wonko the Sane]

this command solved the problem but i want  to know why 
the mbr of the internal hard disk destroy my usb mbr 
i want to know what's happen 
grub4dos merge the mbr of the infliction hard disk  with the mbr of the usb for example 
so mbr of usb destroyed????????

Start by posting the EXACT version of grub4dos you installed on that USB stick (before it was corrupted by the hard disk MBR virus) and the EXACT methot/tool you used to install it.

It is evident that the MBR you posted in the USBinfo.txt has been partially overwritten, but we need to compare it to how it was before to see what has been overwritten/changed.

@sixcentgeorge
For no apparent reason, an Hitachi movie
http://www1.hgst.com...rAnimation.html


Wonko