home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
World of Education
/
World of Education.iso
/
world_d
/
drfinfo.zip
/
MBRSAV20.ZIP
/
MBRSAVE.DOC
< prev
next >
Wrap
Text File
|
1993-04-15
|
29KB
|
567 lines
Documentation for GETMBR.COM and PUTMBR.COM v2.0
GETMBR.COM v2.0 - Copyright - Mike Lambert, 92-93 All rights reserved
PUTMBR.COM v2.0 - Copyright - Mike Lambert, 92-93 All rights reserved
Release Information
-------------------
GETMBR.COM and PUTMBR.COM released for public use. The program and
this documentation file can be freely distributed 1) for NO
compensation of any kind, including the cost of disk and shipping,
2) provided the GETMBR.COM, PUTMBR.COM, and MBRSAVE.DOC files are
distributed together.
GETMBR v2.0 and PUTMBR v2.0 use a different filename than v1.0 and v1.1.
Warrantee
---------
No warranty is given for the performance of this software. Use at
your own risk. As with any software, it is may cause harm if the
programs are modified and executed.
GETMBR and PUTMBR are not supported in any way.
Introduction
------------
GETMBR and PUTMBR are a couple of simple programs I give to
students. Since they were designed for students who may or may not
know or have a program to save the MBR and EPBRs, the programs are
simple and requires a floppy disk, no user options are allowed.
The object is to boot from a clean floppy and run GETMBR to get a
copy of your MBR and EPBRs. Then when you need to replace them for
any reason, you would boot the floppy disk and run PUTMBR. PUTMBR
would ask you if you want to replace them if they have changed. If
you wish to replace them, you answer with a Y. That's it, plain and
simple. If the MBR/EPBRs have not changed, not action is required.
Why you should use a program like this
--------------------------------------
The Master Boot Record (MBR) and Extended Partition Boot Record(s)
(EPBR) should be backed up to your Disaster Recovery floppy disk.
This floppy disk should be bootable and have all of your "in case
something goes wrong" programs and data on it.
Disaster Recovery Disk
----------------------
A Disaster Recovery Disk is a floppy disk that is used to bring up
your computer should your hard disk be unbootable, restore critical
system data, repartition and format your hard disk, restore files
from backup copies, etc. Its your basic "magic floppy disk" used to
solve your system problems.
I suggest breaking the Disaster Recovery Disk into 2 disks; 1. the
"clean original copy of DOS" and 2. the additional programs and
data.
The clean original copy of DOS should have as a minimum on it:
1. It should be bootable
2. SYS
3. CHKDSK
4. FDISK
5. FORMAT
6. DEBUG
7. DISKCOPY
8. ATTRIB
9. MODE
10. MORE
11. MEM
12. any additional DOS drivers you require.
13. a CONFIG.SYS and AUTOEXEC.BAT to configure the system.
14. any other DOS programs you might need, perhaps MSD
This disk should be write protected immediately after creation and
the write protect should NEVER be removed. Instead, boot the disk
and run DISKCOPY to make a new copy. Modify the new disk only when
booted from the clean floppy.
The second disk should have the following as a minimum:
1. a program to restore your CMOS data
2. your CMOS data
3. GETMBR and PUTMBR
4. mbrepbr.rec - your MBR and EPBRs
5. An ASCII editor
6. A Sector editor
7. Your unarchiver (like PKunzip) if necessary
8. Your tape backup/restore software
9. ATTRIB from your DOS disk
This disk should be write protected immediately after creation. The
disk should only be written to on a system booted by your clean
boot disk. If you need to backup new copies of your MBR or CMOS
data, boot the clean disk and run the appropriate programs. Write
protect the disk as soon as you are finished.
What else you need besides this
-------------------------------
You should ALWAYS have a backup of your programs and data on your
system along with any additional programs necessary to restore the
files to the hard disk. The actual contents would depend on the
Disaster Recovery Plan you have made.
For more info on Disaster Recovery Disk(s), see my paper, "Making
the Disaster Recovery Disks, OR Making the Magic Floppy", copyright
1993, Mike Lambert.
Using GETMBR
------------
Copy GETMBR.COM to your Disaster Recovery Disk.
The command line syntax is:
A:\>GETMBR
No parameters are necessary. This program should be run in a
"clean" environment, preferably from your clean Disaster Recovery
Disk.
GETMBR is a simple program that reads the MBR and EPBRs on C: and
writes them to a file to A:MBREPBR.REC. GETMBR does NOT write
to C:.
If A:MBREPBR.REC already exists, the MBR from C: is NOT written.
If you wish to replace the MBREPBR.REC on A:, you must:
1. change the R/O attribute of the file: ATTRIB -R A:MBREPBR.REC
2. delete the file: DEL A:MBREPBR.REC
GETMBR does a couple of checks on the MBR to see if it looks like
it is a real MBR. Viruses are also able to immitate an MBR so this
program should NOT be used to validate an MBR. If GETMBR thinks
that a virus or security program is/will interfere with the
process, it will notify you with a message. In that case, boot with
the clean Disaster Recovery Floppy and re-run GETMBR.
GETMBR will warn the user when it finds a partition starting on
head 0, cylinder 0. This area is used by many viruses and a
partition starting in this area could be severely damaged by a virus.
If you have a partition starting somewhere under head 0, on
cylinder 0, consider repartitioning the disk to start under head 1.
GETMBR will display all the ASCII text found in the MBR and then
ask if it should be written to A:. Answer Y or N.
If the file A:MBREPBR.REC is written to A:, it will be set to
Read Only (R/O).
Use PUTMBR to replace the MBR or EPBRs in the event you have to.
PUTMBR 2.0+ is version sensitive, use the same version as the
version of GETMBR used to create A:MBREPBR.REC.
At this time it is convenient to backup your CMOS data to the
floppy disk as well. When backups are completed, write protect the
floppy disk.
If you change your hard disk system in any way, repartition your
disk, etc. reboot your system with the Disaster Recovery Disk,
delete the old MBREPBR.REC file, and rerun GETMBR to store the new
information.
GETMBR will not run if it detects a stealth virus or some access
security systems. GETMBR and PUTMBR are not appropriate for backup
and restoring protected systems, the product should have that
capability. If a stealth virus is active, GETMBR will refuse to
run. Remove the virus from your system and rerun GETMBR. Ideally,
GETMBR should be run after the system has been booted by the
Disaster Recovery Disk.
What GETMBR looks like
----------------------
The following is a sample output of GETMBR:
The MBR in this example is a "typical" MBR, your's should look much
the same. This disk has an Extended Partition with one logical
drive in it, so there is one EPBR saved. This file is 1536 bytes
long. The first 512 bytes is the MBR, the second 512 bytes is
maintenance information used by PUTMBR, and the succeeding 512 byte
blocks is the EPBR. A Data Recovery Specialist will have no
trouble using the file to put the disk back together if necessary.
Do not modify any information in A:MBREPBR.REC.
-----------------------------------------------------------------------------
GETMBR v2.0 - write Master Boot Record and Extended Partition Boot Records
on C: to A:\MBREPBR.REC
...hold on while I reset your hard disk
...reading your Master Boot Record from C:
This is your MBR in Hex and Ascii, look for anything unusual.
FA33C08E D0BC007C 8BF45007 501FFBFC BF0006B9 0001F2A5 .3.....|..P.P...........
EA1D0600 00BEBE07 B304803C 80740E80 3C00751C 83C610FE ...........<.t..<.u.....
CB75EFCD 188B148B 4C028BEE 83C610FE CB741A80 3C0074F4 .u......L........t..<.t.
BE8B06AC 3C00740B 56BB0700 B40ECD10 5EEBF0EB FEBF0500 ....<.t.V.......^.......
BB007CB8 010257CD 135F730C 33C0CD13 4F75EDBE A306EBD3 ..|...W.._s.3...Ou......
BEC206BF FE7D813D 55AA75C7 8BF5EA00 7C000049 6E76616C .....}.=U.u.....|..Inval
69642070 61727469 74696F6E 20746162 6C650045 72726F72 id partition table.Error
206C6F61 64696E67 206F7065 72617469 6E672073 79737465 loading operating syste
6D004D69 7373696E 67206F70 65726174 696E6720 73797374 m.Missing operating syst
656D0000 00000000 00000000 00000000 00000000 00000000 em......................
00000000 00000000 00000000 00000000 00000000 00000000 ........................
00000000 00000000 00000000 00000000 00000000 00000000 ........................
00000000 00000000 00000000 00000000 00000000 00000000 ........................
00000000 00000000 00000000 00000000 00000000 00000000 ........................
00000000 00000000 00000000 00000000 00000000 00000000 ........................
00000000 00000000 00000000 00000000 00000000 00000000 ........................
00000000 00000000 00000000 00000000 00000000 00000000 ........................
00000000 00000000 00000000 00000000 00000000 00000000 ........................
00000000 00000000 00000000 00008001 01000405 62402200 ....................b@".
0000AAFF 00000000 41410505 E22BCCFF 00004487 01000000 ........AA...+....D.....
00000000 00000000 00000000 00000000 00000000 00000000 ........................
00000000 000055AA ......U.
Do you want to save this MBR to A:\MBREPBR.REC? (Y/N)
...checking A: for A:\MBREPBR.REC
Checking EPBR 1 saved
MBR on C: successfully written to A:\MBREPBR.REC (set R/O)
-----------------------------------------------------------------------------
Using PUTMBR
------------
Copy PUTMBR.COM to your Disaster Recovery Disk.
If you ever need to restore your MBR or EPBRs, boot your Disaster
Recovery Disk, put in the disk with PUTMBR and your copy of
MBREPBR.REC, and run PUTMBR. You could also do this procedure to see
if your MBR has been changed. PUTMBR will not write to C: unless
the disk copy is different and you tell PUTMBR to.
The command line syntax is:
A:\>PUTMBR
No parameters are necessary. This program should be run in a
"clean" environment, preferably from your clean Disaster Recovery
Disk.
PUTMBR is a simple program that reads the Master Boot Record on
A:MBREPBR.REC and writes it to C:, sector 1, head 0, side 0. The
file, A:MBREPBR.REC is created by the GETMBR program.
PUTMBR is intended to be used to restore your MBR from the backup
copy. It is your responsibility to insure that the MBR is not
infected with a virus.
PUTMBR does a couple of checks on the MBR to see if it looks like
it is a real MBR. Viruses are able to immitate an MBR so this
program should NOT be used to validate an MBR.
PUTMBR will compare the MBR with the stored copy of the MBR and if
it is different, it will give you a chance to replace it. If so,
PUTMBR will display all the ASCII text found in the MBR and then
ask if it should be written to C:. Answer Y or N. EPBRs are also
compared and if different, will also prompt you asking if they
should be replaced.
If PUTMBR finds that the MBR and EPBRs are the same, it will tell
you and take no action.
PUTMBR tries to protect you from accidently writing the wrong MBR
and EPBRs to your system. If the disk system does not match the disk
system that the MBR and EPBRs were saved from, PUTMBR will not
replace the MBR or EPBRs. Of course, if you have two identical
systems partitioned differently, PUTMBR will not be able to know
that the MBR and EPBRs are for the other system and will ask you if
you want them replaced. It is the user's responsibility, not the
program's, to insure that the correct MBR and EPBRs are being
replaced. This is easily accomplished by labeling the disk for each
computer. Since you would also use this same disk to backup your
CMOS settings, it is prudent to fully identify the system on the
disk label.
Do not modify the MBREPBR.REC file. PUTMBR checks the integrity of
the file and will not restore the MBR or EPBRs if the file has been
modified. If you are sure that the MBR and EPBRs stored are
correct, consult a Data Recovery Specialist. They will be able to
use the file contents to recover your system.
PUTMBR will not run if it detects a stealth virus or some access
security systems. GETMBR and PUTMBR are not appropriate for backup
and restoring protected systems, the product should have that
capability. If a stealth virus is active, PUTMBR will refuse to
run. Remove the virus from your system and run GETMBR. Ideally,
GETMBR should be run after the system has been booted by the
Disaster Recovery Disk.
What PUTMBR looks like
----------------------
The following is a sample output of PUTMBR:
-----------------------------------------------------------------------------
If the stored MBR and EPBRs are identical to the disk copies:
PUTMBR v2.0 - write Master Boot Record on C: from A:\MBREPBR.REC
...hold while I reset your hard disk.
...reading your Master Boot Record from A:\MBREPBR.REC
The stored MBR is the same as the disk's MBR, no need to restore it
Checking EPBR 1 Ok, no need to restore it.
-----------------------------------------------------------------------------
If the hard disk MBR and EPBR are different:
PUTMBR v2.0 - write Master Boot Record on C: from A:\MBREPBR.REC
...hold while I reset your hard disk.
...reading your Master Boot Record from A:\MBREPBR.REC
The stored MBR is different from the disk copy, this is the file's copy
FA33C08E D0BC007C 8BF45007 501FFBFC BF0006B9 0001F2A5 .3.....|..P.P...........
EA1D0600 00BEBE07 B304803C 80740E80 3C00751C 83C610FE ...........<.t..<.u.....
CB75EFCD 188B148B 4C028BEE 83C610FE CB741A80 3C0074F4 .u......L........t..<.t.
BE8B06AC 3C00740B 56BB0700 B40ECD10 5EEBF0EB FEBF0500 ....<.t.V.......^.......
BB007CB8 010257CD 135F730C 33C0CD13 4F75EDBE A306EBD3 ..|...W.._s.3...Ou......
BEC206BF FE7D813D 55AA75C7 8BF5EA00 7C000049 6E76616C .....}.=U.u.....|..Inval
69642070 61727469 74696F6E 20746162 6C650045 72726F72 id partition table.Error
206C6F61 64696E67 206F7065 72617469 6E672073 79737465 loading operating syste
6D004D69 7373696E 67206F70 65726174 696E6720 73797374 m.Missing operating syst
656D0000 00000000 00000000 00000000 00000000 00000000 em......................
00000000 00000000 00000000 00000000 00000000 00000000 ........................
00000000 00000000 00000000 00000000 00000000 00000000 ........................
00000000 00000000 00000000 00000000 00000000 00000000 ........................
00000000 00000000 00000000 00000000 00000000 00000000 ........................
00000000 00000000 00000000 00000000 00000000 00000000 ........................
00000000 00000000 00000000 00000000 00000000 00000000 ........................
00000000 00000000 00000000 00000000 00000000 00000000 ........................
00000000 00000000 00000000 00000000 00000000 00000000 ........................
00000000 00000000 00000000 00008001 01000405 62402200 ....................b@".
0000AAFF 00000000 41410505 E22BCCFF 00004487 01000000 ........AA...+....D.....
00000000 00000000 00000000 00000000 00000000 00000000 ........................
00000000 000055AA ......U.
Do you want to write this MBR to C: ? (Y/N)
PUTMBR writing MBR to C:
Checking EPBR 1 , it is different than stored copy.
Do you want to restore it? EPBR restored from backup copy.
-----------------------------------------------------------------------------
If the MBREPBR.REC is a backup of some other system and does not
match this disk system:
PUTMBR v2.0 - write Master Boot Record on C: from A:\MBREPBR.REC
...hold while I reset your hard disk.
...reading your Master Boot Record from A:\MBREPBR.REC
The saved MBR does not match this disk geometry, Wrong Backup Copy!
============================================================================
Additional Information
----------------------
Below are some examples of some things you don't want to backup
with GETMBR. They are viruses and you can see that the MBR
presented to you is different than the example of the "typical" MBR
above. These are for illustration purposes, different versions of
the viruses look different. I've * out about half of the hex, for
obvious reasons.
Just a short note on Multi-partitte viruses. These infect the MBR
and load at boot time. The virus replicates via COM and EXE files
rather than floppy disks. Imagine the problems you'd have if you
had one of these and was running GETMBR and PUTMBR from a hard disk
(not write protected) while infected.
To use GETMBR and PUTMBR most effectively, they should be placed on
a clean bootable floppy and GETMBR should backup a clean MBR and
EPBRs. If the floppy is then write protected, you won't go wrong.
Booting that clean floppy disk and runing PUTMBR will ensure that
you really restore your real MBR to the real MBR sector on the
disk. Use some common sense and think about what you do!
This is what the AZUSA virus looks like:
GETMBR v2.0 - write Master Boot Record and Extended Partition Boot Records
on C: to A:\MBREPBR.REC
...hold on while I reset your hard disk
...reading your Master Boot Record from C:
This is your MBR in Hex and Ascii, look for anything unusual.
E98B008E D0BC007C 8BF450F6 C402745B F6C28075 56501E31 .......|..P...t[...uVP.1
******** D0FEC084 ******** 44535152 ******** 01020E07 .........?.uDSQR.WV.....
BB0002B9 ******** E8350072 ******** 89023B06 ******** .........5.r&.....;...t.
******** 0827B601 ******** 0EE81F00 ******** DB41B600 .....'.....r.......1.A..
E80D005E ******** 5B1F58EA ******** 9C2EFF1E ******** ...^_.ZY[.X.........l...
******** 00B90800 ******** 7003BF70 ******** A4C331C0 ............p..p......1.
8ED88ED0 ******** 4C00A36C ******** A36E7CA1 ******** ......|.L..l|.N..n|...H.
******** D3E08EC0 ******** 0B00A34E ******** BE007C31 ..........L....N......|1
FFFCF3A4 ******** 50CB31C0 ******** 8EC0B801 ******** ....P...P.1...1........|
******** 00F6C1FF ******** 00EA007C ******** 27BA0001 ...?....t..Q...|....'...
CD1372F1 ******** 02BB0002 ******** 8000CD13 ******** ..r.................r...
******** 0074D6E8 ******** 0331DB41 ******** BEBE01B9 .9...t..e....1.A........
0400803C ******** C610E2F6 ******** 028B14CD ******** ...<.t.........L........
******** 1580066F ******** 030E0731 ******** B600CD13 o..u...o.......1........
EB0E31C0 ******** 080400C6 ******** 0E1FC606 ******** ..1.................o...
******** C3000001 00000000 00000000 00000000 00000000 .Z......................
00000000 00000000 00000000 00000000 00000000 00000000 ........................
00000000 00000000 00000000 00000000 00000000 00000000 ........................
00000000 00000000 00000000 00008001 01000103 11961100 ........................
00000B28 00000000 01970503 D1AA1C28 000050D1 00000000 ...(...........(..P.....
00000000 00000000 00000000 00000000 00000000 00000000 ........................
00000000 000055AA ......U.
Do you want to save this MBR to A:\MBREPBR.REC? (Y/N)
GETMBR not writing MBR to A:
-----------------------------------------------------------------------------
This is what the JOSHI virus looks like:
GETMBR v2.0 - write Master Boot Record and Extended Partition Boot Records
on C: to A:\MBREPBR.REC
...hold on while I reset your hard disk
...reading your Master Boot Record from C:
A stealth MBR virus (or security monitor) is active, disable it and try again
Hit Y and I'll show you what the -REAL- MBR looks like.
EB1F908E D08EC08E D8B8007C 8BE0FB8B F0BF007E FCB90001 ...........|.......~....
******** 02B90002 ******** 8ED88ED0 ******** A11304B1 ........................
06D3E08E ******** 2D2100BF ******** 7C03F003 ******** ........-!......|.....y.
******** A675108C ******** 8EC0BB00 ******** 0100CBA1 +....u.... .......S.....
13042D06 ******** B106D3E0 ******** 7CBF0000 ******** ..-.............|.......
******** 0520008E ******** 06530E1F ******** 8A2E1E7C ..... .......S.........|
8A0E1F7C ******** 207C50B8 ******** 58505351 ******** ...|.... |P.....XPSQR...
******** 58731050 ******** B400CD13 ******** 58EBE2FE .ZY[Xs.PSQR......ZY[X...
C181C300 ******** 508AC12A ******** 08581F72 ******** ........P..*..|,.X.r....
******** 00000000 00000000 00000000 00000000 00000000 ........................
00000000 00000000 00000000 00000000 00000000 00000000 ........................
00000000 00000000 00000000 00000000 00000000 00000000 ........................
00000000 00000000 00000000 00000000 00000000 00000000 ........................
00000000 00000000 00000000 00000000 00000000 00000000 ........................
00000000 00000000 00000000 00000000 00000000 00000000 ........................
00000000 00000000 00000000 00000000 00000000 00000000 ........................
00000000 00000000 00000000 00000000 00000000 00000000 ........................
00000000 00000000 00000000 00000000 00000000 00000000 ........................
00000000 00000000 00000000 00008001 01000606 E3BD2300 ......................#.
0000B394 03000000 00000000 00000000 00000000 00000000 ........................
00000000 00000000 00000000 00000000 00000000 00000000 ........................
00000000 000055AA ......U.
ReBoot a clean system; run PUTMBR
-----------------------------------------------------------------------------
This what is the MICHAELANGELO virus looks like:
GETMBR v2.0 - write Master Boot Record and Extended Partition Boot Records
on C: to A:\MBREPBR.REC
...hold on while I reset your hard disk
...reading your Master Boot Record from C:
This is your MBR in Hex and Ascii, look for anything unusual.
E9AC00F5 00809F02 07001A03 00C81E50 0AD2751B 33C08ED8 ...............P..u.3...
******** 01751058 ******** 1E0A009C ******** CA020058 ..?..u.X...............X
1F2EFF2E ******** 51521E06 ******** 0E07BE04 ******** ......PSQR..VW..........
******** 010033D2 ******** 00730C33 ******** 0A004E75 ......3......s.3......Nu
E4EB4333 ******** 077506AD ******** 35B80103 ******** ..C3...;.u..;G.t5.......
******** 7402B10E ******** 9CFF1E0A ******** BE03BFBE ....t............r......
01B92100 ******** 010333DB ******** D29CFF1E ******** ..!.......3....3......_^
******** 5B58C333 ******** 8ED0B800 ******** 1E50A14C ..ZY[X.3........|....P.L
00A30A7C ******** 0C7CA113 ******** 1304B106 ******** ...|.N...|...HH.........
******** 0E00A34C ******** 00B9BE01 ******** FFFCF3A4 ..|....L...N......|3....
2EFF2E03 ******** C0CD130E ******** BB007C8B ******** ....|3............|.....
******** BA8000CD ******** 0E0800BA ******** 72200E07 ..u.......+.........r ..
B80102BB ******** 00BA8000 ******** 33F6FCAD ******** ..............r.3...;.uO
******** 754933C9 ******** 81FA0603 ******** D2B90100 .;G.uI3.........t..3....
B809038B ******** FE037410 ******** 0E7409B2 ******** ....6.....t......t......
******** BB00508E ******** 0432E4CD ******** 36070072 ......P....s.2.....:6..r
CF32F6FE ******** 0700890E ******** 03BA8000 ******** .2....................r.
******** BE01B921 ******** 010333DB ******** **900000 .......!......3.........
00000000 00000000 00000000 00008001 01000103 11961100 ........................
00000B28 00000000 01970503 D1AA1C28 000050D1 00000000 ...(...........(..P.....
00000000 00000000 00000000 00000000 00000000 00000000 ........................
00000000 000055AA ......U.
Do you want to save this MBR to A:\MBREPBR.REC? (Y/N)
GETMBR not writing MBR to A:
-----------------------------------------------------------------------------
This is what the NOINT virus looks like:
GETMBR v2.0 - write Master Boot Record and Extended Partition Boot Records
on C: to A:\MBREPBR.REC
...hold on while I reset your hard disk
...reading your Master Boot Record from C:
A stealth MBR virus (or security monitor) is active, disable it and try again
Hit Y and I'll show you what the -REAL- MBR looks like.
EB3C908E D0BC007C 8BF45007 501FFBFC BF0006B9 0001F2A5 .<.....|..P.P...........
******** 00BEBE07 ******** 80740E80 ******** 83C610FE ...........<.t..<.u.....
CB75EFCD ******** 4C028BEE ******** C08ED88B ******** .u......L......3........
******** 4C0036A3 ******** 0036A30E ******** 36A3AB00 ....L.6....N.6......6...
4848A313 ******** E08EC036 ******** DA00A34C ******** HH.........6.......L...N
******** 161F33F6 ******** A436FF2E ******** 809F8CD0 ......3......6..........
8EC0B801 ******** C2807411 ******** 80009C2E ******** .....3....t.............
******** 02B90300 ******** 2EFF1E0C ******** 80E86200 .................r....b.
33C08ED8 ******** BC000433 ******** D22EFF2E ******** 3..........3.3.3.......|
******** 80FC0275 ******** 00752983 ******** 51B90700 ...P...u9....u)...uQ...
B801029C ******** 01597220 ******** 01581F55 ******** .........Yr ..&!.X.U...f
******** 1A0300C8 ******** 05E80A00 ******** 2EFF2E0C ..]........w....r.X.....
01005351 ******** BE0200B8 ******** 00BB0002 ******** ..SQRVW...............2.
******** 0C01730F ******** FF1E0C01 ******** EB5190BE ......s.3.......Nu...Q..
D6000E1F ******** 00027443 ******** 0302B93B ******** ......;...tC.......;....
******** BE01B942 ******** 0103BB00 ******** B60180FA .......B................
017605B9 ******** 9C2EFF1E ******** B8010333 ******** .v....2.......r....3.2..
******** 1E0C0107 ******** 5BC3FCFC 00000000 00000000 ........_^ZY[...........
00000000 00000000 00000000 00008001 01000103 11961100 ........................
00000B28 00000000 01970503 D1AA1C28 000050D1 00000000 ...(...........(..P.....
00000000 00000000 00000000 00000000 00000000 00000000 ........................
00000000 000055AA ......U.
ReBoot a clean system; run PUTMBR
-----------------------------------------------------------------------------
This is what the STONED virus looks like:
GETMBR v2.0 - write Master Boot Record and Extended Partition Boot Records
on C: to A:\MBREPBR.REC
...hold on while I reset your hard disk
...reading your Master Boot Record from C:
This is your MBR in Hex and Ascii, look for anything unusual.
EA0500C0 07E99900 021A0300 C8E40080 9F007C00 001E5080 ..................|...P.
******** 80FC0473 ******** 0E33C08E ******** A8017503 ..r....s...u.3....?...u.
E8070058 ******** 09005351 ******** BE0400B8 ******** ...X......SQR.VW........
******** C98BD141 ******** 0900730E ******** FF1E0900 ...3...A......s.3.......
4E75E0EB ******** BF0002FC ******** 057506AD ******** Nu..5.3........;.u..;E.t
******** BB0002B1 ******** 2EFF1E09 ******** 010333DB !................r....3.
B10133D2 ******** 09005F5E ******** C333C08E ******** ..3......._^.ZY[.3......
******** A14C00A3 ******** 00A30B7C ******** 48A31304 ..|..L...|.N...|...HH...
B106D3E0 ******** 7CB81500 ******** 064E00B9 ******** ........|....L...N......
******** FCF3A42E ******** B80000CD ******** C0B80102 3................3......
BB007C2E ******** 00740BB9 ******** 00CD13EB ******** ..|..>...t..........I...
******** CD13723E ******** 04077512 ******** 1FAC0AC0 ......r>&..l..u.........
7408B40E ******** EBF30E07 ******** 0002B101 ******** t.......................
******** 1FBE0002 ******** 3B057511 ******** 750B2EC6 .r..........;.u..;E.u...
06080000 ******** 002EC606 ******** 0103BB00 ******** ........................
******** 1372DF0E ******** BE03BFBE ******** F3A4B801 .....r............B.....
0333DBFE ******** C507596F ******** 43206973 ******** .3........Your PC is now
******** 6E656421 ******** 004C4547 ******** 45204D41 Stoned!.....LEGALISE MA
52494A55 ******** 00000000 00008001 01000103 11961100 RIJUANA!................
00000B28 00000000 01970503 D1AA1C28 000050D1 00000000 ...(...........(..P.....
00000000 00000000 00000000 00000000 00000000 00000000 ........................
00000000 000055AA ......U.
Do you want to save this MBR to A:\MBREPBR.REC? (Y/N)
GETMBR not writing MBR to A:
-----------------------------------------------------------------------------
Please take the time to give me some feedback, good or bad. I would
have no way of knowing if you find this of value if noone ever gave
any feedback!! My intention is to make this of value, am I helping
or hurting?
Mike Lambert - 92-93
1153 Dublin Place
Herndon, Va 22070
Fax 703-471-6214