World of Education

home *** CD-ROM | disk | FTP | other *** search

/ World of Education / World of Education.iso / world_d / drfinfo.zip / MBRSAV20.ZIP / MBRSAVE.DOC < prev next >

Wrap

Text File | 1993-04-15 | 29KB | 567 lines

Documentation for GETMBR.COM and PUTMBR.COM v2.0 GETMBR.COM v2.0 - Copyright - Mike Lambert, 92-93 All rights reserved PUTMBR.COM v2.0 - Copyright - Mike Lambert, 92-93 All rights reserved Release Information ------------------- GETMBR.COM and PUTMBR.COM released for public use. The program and this documentation file can be freely distributed 1) for NO compensation of any kind, including the cost of disk and shipping, 2) provided the GETMBR.COM, PUTMBR.COM, and MBRSAVE.DOC files are distributed together. GETMBR v2.0 and PUTMBR v2.0 use a different filename than v1.0 and v1.1. Warrantee --------- No warranty is given for the performance of this software. Use at your own risk. As with any software, it is may cause harm if the programs are modified and executed. GETMBR and PUTMBR are not supported in any way. Introduction ------------ GETMBR and PUTMBR are a couple of simple programs I give to students. Since they were designed for students who may or may not know or have a program to save the MBR and EPBRs, the programs are simple and requires a floppy disk, no user options are allowed. The object is to boot from a clean floppy and run GETMBR to get a copy of your MBR and EPBRs. Then when you need to replace them for any reason, you would boot the floppy disk and run PUTMBR. PUTMBR would ask you if you want to replace them if they have changed. If you wish to replace them, you answer with a Y. That's it, plain and simple. If the MBR/EPBRs have not changed, not action is required. Why you should use a program like this -------------------------------------- The Master Boot Record (MBR) and Extended Partition Boot Record(s) (EPBR) should be backed up to your Disaster Recovery floppy disk. This floppy disk should be bootable and have all of your "in case something goes wrong" programs and data on it. Disaster Recovery Disk ---------------------- A Disaster Recovery Disk is a floppy disk that is used to bring up your computer should your hard disk be unbootable, restore critical system data, repartition and format your hard disk, restore files from backup copies, etc. Its your basic "magic floppy disk" used to solve your system problems. I suggest breaking the Disaster Recovery Disk into 2 disks; 1. the "clean original copy of DOS" and 2. the additional programs and data. The clean original copy of DOS should have as a minimum on it: 1. It should be bootable 2. SYS 3. CHKDSK 4. FDISK 5. FORMAT 6. DEBUG 7. DISKCOPY 8. ATTRIB 9. MODE 10. MORE 11. MEM 12. any additional DOS drivers you require. 13. a CONFIG.SYS and AUTOEXEC.BAT to configure the system. 14. any other DOS programs you might need, perhaps MSD This disk should be write protected immediately after creation and the write protect should NEVER be removed. Instead, boot the disk and run DISKCOPY to make a new copy. Modify the new disk only when booted from the clean floppy. The second disk should have the following as a minimum: 1. a program to restore your CMOS data 2. your CMOS data 3. GETMBR and PUTMBR 4. mbrepbr.rec - your MBR and EPBRs 5. An ASCII editor 6. A Sector editor 7. Your unarchiver (like PKunzip) if necessary 8. Your tape backup/restore software 9. ATTRIB from your DOS disk This disk should be write protected immediately after creation. The disk should only be written to on a system booted by your clean boot disk. If you need to backup new copies of your MBR or CMOS data, boot the clean disk and run the appropriate programs. Write protect the disk as soon as you are finished. What else you need besides this ------------------------------- You should ALWAYS have a backup of your programs and data on your system along with any additional programs necessary to restore the files to the hard disk. The actual contents would depend on the Disaster Recovery Plan you have made. For more info on Disaster Recovery Disk(s), see my paper, "Making the Disaster Recovery Disks, OR Making the Magic Floppy", copyright 1993, Mike Lambert. Using GETMBR ------------ Copy GETMBR.COM to your Disaster Recovery Disk. The command line syntax is: A:\>GETMBR No parameters are necessary. This program should be run in a "clean" environment, preferably from your clean Disaster Recovery Disk. GETMBR is a simple program that reads the MBR and EPBRs on C: and writes them to a file to A:MBREPBR.REC. GETMBR does NOT write to C:. If A:MBREPBR.REC already exists, the MBR from C: is NOT written. If you wish to replace the MBREPBR.REC on A:, you must: 1. change the R/O attribute of the file: ATTRIB -R A:MBREPBR.REC 2. delete the file: DEL A:MBREPBR.REC GETMBR does a couple of checks on the MBR to see if it looks like it is a real MBR. Viruses are also able to immitate an MBR so this program should NOT be used to validate an MBR. If GETMBR thinks that a virus or security program is/will interfere with the process, it will notify you with a message. In that case, boot with the clean Disaster Recovery Floppy and re-run GETMBR. GETMBR will warn the user when it finds a partition starting on head 0, cylinder 0. This area is used by many viruses and a partition starting in this area could be severely damaged by a virus. If you have a partition starting somewhere under head 0, on cylinder 0, consider repartitioning the disk to start under head 1. GETMBR will display all the ASCII text found in the MBR and then ask if it should be written to A:. Answer Y or N. If the file A:MBREPBR.REC is written to A:, it will be set to Read Only (R/O). Use PUTMBR to replace the MBR or EPBRs in the event you have to. PUTMBR 2.0+ is version sensitive, use the same version as the version of GETMBR used to create A:MBREPBR.REC. At this time it is convenient to backup your CMOS data to the floppy disk as well. When backups are completed, write protect the floppy disk. If you change your hard disk system in any way, repartition your disk, etc. reboot your system with the Disaster Recovery Disk, delete the old MBREPBR.REC file, and rerun GETMBR to store the new information. GETMBR will not run if it detects a stealth virus or some access security systems. GETMBR and PUTMBR are not appropriate for backup and restoring protected systems, the product should have that capability. If a stealth virus is active, GETMBR will refuse to run. Remove the virus from your system and rerun GETMBR. Ideally, GETMBR should be run after the system has been booted by the Disaster Recovery Disk. What GETMBR looks like ---------------------- The following is a sample output of GETMBR: The MBR in this example is a "typical" MBR, your's should look much the same. This disk has an Extended Partition with one logical drive in it, so there is one EPBR saved. This file is 1536 bytes long. The first 512 bytes is the MBR, the second 512 bytes is maintenance information used by PUTMBR, and the succeeding 512 byte blocks is the EPBR. A Data Recovery Specialist will have no trouble using the file to put the disk back together if necessary. Do not modify any information in A:MBREPBR.REC. ----------------------------------------------------------------------------- GETMBR v2.0 - write Master Boot Record and Extended Partition Boot Records on C: to A:\MBREPBR.REC ...hold on while I reset your hard disk ...reading your Master Boot Record from C: This is your MBR in Hex and Ascii, look for anything unusual. FA33C08E D0BC007C 8BF45007 501FFBFC BF0006B9 0001F2A5 .3.....|..P.P........... EA1D0600 00BEBE07 B304803C 80740E80 3C00751C 83C610FE ...........<.t..<.u..... CB75EFCD 188B148B 4C028BEE 83C610FE CB741A80 3C0074F4 .u......L........t..<.t. BE8B06AC 3C00740B 56BB0700 B40ECD10 5EEBF0EB FEBF0500 ....<.t.V.......^....... BB007CB8 010257CD 135F730C 33C0CD13 4F75EDBE A306EBD3 ..|...W.._s.3...Ou...... BEC206BF FE7D813D 55AA75C7 8BF5EA00 7C000049 6E76616C .....}.=U.u.....|..Inval 69642070 61727469 74696F6E 20746162 6C650045 72726F72 id partition table.Error 206C6F61 64696E67 206F7065 72617469 6E672073 79737465 loading operating syste 6D004D69 7373696E 67206F70 65726174 696E6720 73797374 m.Missing operating syst 656D0000 00000000 00000000 00000000 00000000 00000000 em...................... 00000000 00000000 00000000 00000000 00000000 00000000 ........................ 00000000 00000000 00000000 00000000 00000000 00000000 ........................ 00000000 00000000 00000000 00000000 00000000 00000000 ........................ 00000000 00000000 00000000 00000000 00000000 00000000 ........................ 00000000 00000000 00000000 00000000 00000000 00000000 ........................ 00000000 00000000 00000000 00000000 00000000 00000000 ........................ 00000000 00000000 00000000 00000000 00000000 00000000 ........................ 00000000 00000000 00000000 00000000 00000000 00000000 ........................ 00000000 00000000 00000000 00008001 01000405 62402200 ....................b@". 0000AAFF 00000000 41410505 E22BCCFF 00004487 01000000 ........AA...+....D..... 00000000 00000000 00000000 00000000 00000000 00000000 ........................ 00000000 000055AA ......U. Do you want to save this MBR to A:\MBREPBR.REC? (Y/N) ...checking A: for A:\MBREPBR.REC Checking EPBR 1 saved MBR on C: successfully written to A:\MBREPBR.REC (set R/O) ----------------------------------------------------------------------------- Using PUTMBR ------------ Copy PUTMBR.COM to your Disaster Recovery Disk. If you ever need to restore your MBR or EPBRs, boot your Disaster Recovery Disk, put in the disk with PUTMBR and your copy of MBREPBR.REC, and run PUTMBR. You could also do this procedure to see if your MBR has been changed. PUTMBR will not write to C: unless the disk copy is different and you tell PUTMBR to. The command line syntax is: A:\>PUTMBR No parameters are necessary. This program should be run in a "clean" environment, preferably from your clean Disaster Recovery Disk. PUTMBR is a simple program that reads the Master Boot Record on A:MBREPBR.REC and writes it to C:, sector 1, head 0, side 0. The file, A:MBREPBR.REC is created by the GETMBR program. PUTMBR is intended to be used to restore your MBR from the backup copy. It is your responsibility to insure that the MBR is not infected with a virus. PUTMBR does a couple of checks on the MBR to see if it looks like it is a real MBR. Viruses are able to immitate an MBR so this program should NOT be used to validate an MBR. PUTMBR will compare the MBR with the stored copy of the MBR and if it is different, it will give you a chance to replace it. If so, PUTMBR will display all the ASCII text found in the MBR and then ask if it should be written to C:. Answer Y or N. EPBRs are also compared and if different, will also prompt you asking if they should be replaced. If PUTMBR finds that the MBR and EPBRs are the same, it will tell you and take no action. PUTMBR tries to protect you from accidently writing the wrong MBR and EPBRs to your system. If the disk system does not match the disk system that the MBR and EPBRs were saved from, PUTMBR will not replace the MBR or EPBRs. Of course, if you have two identical systems partitioned differently, PUTMBR will not be able to know that the MBR and EPBRs are for the other system and will ask you if you want them replaced. It is the user's responsibility, not the program's, to insure that the correct MBR and EPBRs are being replaced. This is easily accomplished by labeling the disk for each computer. Since you would also use this same disk to backup your CMOS settings, it is prudent to fully identify the system on the disk label. Do not modify the MBREPBR.REC file. PUTMBR checks the integrity of the file and will not restore the MBR or EPBRs if the file has been modified. If you are sure that the MBR and EPBRs stored are correct, consult a Data Recovery Specialist. They will be able to use the file contents to recover your system. PUTMBR will not run if it detects a stealth virus or some access security systems. GETMBR and PUTMBR are not appropriate for backup and restoring protected systems, the product should have that capability. If a stealth virus is active, PUTMBR will refuse to run. Remove the virus from your system and run GETMBR. Ideally, GETMBR should be run after the system has been booted by the Disaster Recovery Disk. What PUTMBR looks like ---------------------- The following is a sample output of PUTMBR: ----------------------------------------------------------------------------- If the stored MBR and EPBRs are identical to the disk copies: PUTMBR v2.0 - write Master Boot Record on C: from A:\MBREPBR.REC ...hold while I reset your hard disk. ...reading your Master Boot Record from A:\MBREPBR.REC The stored MBR is the same as the disk's MBR, no need to restore it Checking EPBR 1 Ok, no need to restore it. ----------------------------------------------------------------------------- If the hard disk MBR and EPBR are different: PUTMBR v2.0 - write Master Boot Record on C: from A:\MBREPBR.REC ...hold while I reset your hard disk. ...reading your Master Boot Record from A:\MBREPBR.REC The stored MBR is different from the disk copy, this is the file's copy FA33C08E D0BC007C 8BF45007 501FFBFC BF0006B9 0001F2A5 .3.....|..P.P........... EA1D0600 00BEBE07 B304803C 80740E80 3C00751C 83C610FE ...........<.t..<.u..... CB75EFCD 188B148B 4C028BEE 83C610FE CB741A80 3C0074F4 .u......L........t..<.t. BE8B06AC 3C00740B 56BB0700 B40ECD10 5EEBF0EB FEBF0500 ....<.t.V.......^....... BB007CB8 010257CD 135F730C 33C0CD13 4F75EDBE A306EBD3 ..|...W.._s.3...Ou...... BEC206BF FE7D813D 55AA75C7 8BF5EA00 7C000049 6E76616C .....}.=U.u.....|..Inval 69642070 61727469 74696F6E 20746162 6C650045 72726F72 id partition table.Error 206C6F61 64696E67 206F7065 72617469 6E672073 79737465 loading operating syste 6D004D69 7373696E 67206F70 65726174 696E6720 73797374 m.Missing operating syst 656D0000 00000000 00000000 00000000 00000000 00000000 em...................... 00000000 00000000 00000000 00000000 00000000 00000000 ........................ 00000000 00000000 00000000 00000000 00000000 00000000 ........................ 00000000 00000000 00000000 00000000 00000000 00000000 ........................ 00000000 00000000 00000000 00000000 00000000 00000000 ........................ 00000000 00000000 00000000 00000000 00000000 00000000 ........................ 00000000 00000000 00000000 00000000 00000000 00000000 ........................ 00000000 00000000 00000000 00000000 00000000 00000000 ........................ 00000000 00000000 00000000 00000000 00000000 00000000 ........................ 00000000 00000000 00000000 00008001 01000405 62402200 ....................b@". 0000AAFF 00000000 41410505 E22BCCFF 00004487 01000000 ........AA...+....D..... 00000000 00000000 00000000 00000000 00000000 00000000 ........................ 00000000 000055AA ......U. Do you want to write this MBR to C: ? (Y/N) PUTMBR writing MBR to C: Checking EPBR 1 , it is different than stored copy. Do you want to restore it? EPBR restored from backup copy. ----------------------------------------------------------------------------- If the MBREPBR.REC is a backup of some other system and does not match this disk system: PUTMBR v2.0 - write Master Boot Record on C: from A:\MBREPBR.REC ...hold while I reset your hard disk. ...reading your Master Boot Record from A:\MBREPBR.REC The saved MBR does not match this disk geometry, Wrong Backup Copy! ============================================================================ Additional Information ---------------------- Below are some examples of some things you don't want to backup with GETMBR. They are viruses and you can see that the MBR presented to you is different than the example of the "typical" MBR above. These are for illustration purposes, different versions of the viruses look different. I've * out about half of the hex, for obvious reasons. Just a short note on Multi-partitte viruses. These infect the MBR and load at boot time. The virus replicates via COM and EXE files rather than floppy disks. Imagine the problems you'd have if you had one of these and was running GETMBR and PUTMBR from a hard disk (not write protected) while infected. To use GETMBR and PUTMBR most effectively, they should be placed on a clean bootable floppy and GETMBR should backup a clean MBR and EPBRs. If the floppy is then write protected, you won't go wrong. Booting that clean floppy disk and runing PUTMBR will ensure that you really restore your real MBR to the real MBR sector on the disk. Use some common sense and think about what you do! This is what the AZUSA virus looks like: GETMBR v2.0 - write Master Boot Record and Extended Partition Boot Records on C: to A:\MBREPBR.REC ...hold on while I reset your hard disk ...reading your Master Boot Record from C: This is your MBR in Hex and Ascii, look for anything unusual. E98B008E D0BC007C 8BF450F6 C402745B F6C28075 56501E31 .......|..P...t[...uVP.1 ******** D0FEC084 ******** 44535152 ******** 01020E07 .........?.uDSQR.WV..... BB0002B9 ******** E8350072 ******** 89023B06 ******** .........5.r&.....;...t. ******** 0827B601 ******** 0EE81F00 ******** DB41B600 .....'.....r.......1.A.. E80D005E ******** 5B1F58EA ******** 9C2EFF1E ******** ...^_.ZY[.X.........l... ******** 00B90800 ******** 7003BF70 ******** A4C331C0 ............p..p......1. 8ED88ED0 ******** 4C00A36C ******** A36E7CA1 ******** ......|.L..l|.N..n|...H. ******** D3E08EC0 ******** 0B00A34E ******** BE007C31 ..........L....N......|1 FFFCF3A4 ******** 50CB31C0 ******** 8EC0B801 ******** ....P...P.1...1........| ******** 00F6C1FF ******** 00EA007C ******** 27BA0001 ...?....t..Q...|....'... CD1372F1 ******** 02BB0002 ******** 8000CD13 ******** ..r.................r... ******** 0074D6E8 ******** 0331DB41 ******** BEBE01B9 .9...t..e....1.A........ 0400803C ******** C610E2F6 ******** 028B14CD ******** ...<.t.........L........ ******** 1580066F ******** 030E0731 ******** B600CD13 o..u...o.......1........ EB0E31C0 ******** 080400C6 ******** 0E1FC606 ******** ..1.................o... ******** C3000001 00000000 00000000 00000000 00000000 .Z...................... 00000000 00000000 00000000 00000000 00000000 00000000 ........................ 00000000 00000000 00000000 00000000 00000000 00000000 ........................ 00000000 00000000 00000000 00008001 01000103 11961100 ........................ 00000B28 00000000 01970503 D1AA1C28 000050D1 00000000 ...(...........(..P..... 00000000 00000000 00000000 00000000 00000000 00000000 ........................ 00000000 000055AA ......U. Do you want to save this MBR to A:\MBREPBR.REC? (Y/N) GETMBR not writing MBR to A: ----------------------------------------------------------------------------- This is what the JOSHI virus looks like: GETMBR v2.0 - write Master Boot Record and Extended Partition Boot Records on C: to A:\MBREPBR.REC ...hold on while I reset your hard disk ...reading your Master Boot Record from C: A stealth MBR virus (or security monitor) is active, disable it and try again Hit Y and I'll show you what the -REAL- MBR looks like. EB1F908E D08EC08E D8B8007C 8BE0FB8B F0BF007E FCB90001 ...........|.......~.... ******** 02B90002 ******** 8ED88ED0 ******** A11304B1 ........................ 06D3E08E ******** 2D2100BF ******** 7C03F003 ******** ........-!......|.....y. ******** A675108C ******** 8EC0BB00 ******** 0100CBA1 +....u.... .......S..... 13042D06 ******** B106D3E0 ******** 7CBF0000 ******** ..-.............|....... ******** 0520008E ******** 06530E1F ******** 8A2E1E7C ..... .......S.........| 8A0E1F7C ******** 207C50B8 ******** 58505351 ******** ...|.... |P.....XPSQR... ******** 58731050 ******** B400CD13 ******** 58EBE2FE .ZY[Xs.PSQR......ZY[X... C181C300 ******** 508AC12A ******** 08581F72 ******** ........P..*..|,.X.r.... ******** 00000000 00000000 00000000 00000000 00000000 ........................ 00000000 00000000 00000000 00000000 00000000 00000000 ........................ 00000000 00000000 00000000 00000000 00000000 00000000 ........................ 00000000 00000000 00000000 00000000 00000000 00000000 ........................ 00000000 00000000 00000000 00000000 00000000 00000000 ........................ 00000000 00000000 00000000 00000000 00000000 00000000 ........................ 00000000 00000000 00000000 00000000 00000000 00000000 ........................ 00000000 00000000 00000000 00000000 00000000 00000000 ........................ 00000000 00000000 00000000 00000000 00000000 00000000 ........................ 00000000 00000000 00000000 00008001 01000606 E3BD2300 ......................#. 0000B394 03000000 00000000 00000000 00000000 00000000 ........................ 00000000 00000000 00000000 00000000 00000000 00000000 ........................ 00000000 000055AA ......U. ReBoot a clean system; run PUTMBR ----------------------------------------------------------------------------- This what is the MICHAELANGELO virus looks like: GETMBR v2.0 - write Master Boot Record and Extended Partition Boot Records on C: to A:\MBREPBR.REC ...hold on while I reset your hard disk ...reading your Master Boot Record from C: This is your MBR in Hex and Ascii, look for anything unusual. E9AC00F5 00809F02 07001A03 00C81E50 0AD2751B 33C08ED8 ...............P..u.3... ******** 01751058 ******** 1E0A009C ******** CA020058 ..?..u.X...............X 1F2EFF2E ******** 51521E06 ******** 0E07BE04 ******** ......PSQR..VW.......... ******** 010033D2 ******** 00730C33 ******** 0A004E75 ......3......s.3......Nu E4EB4333 ******** 077506AD ******** 35B80103 ******** ..C3...;.u..;G.t5....... ******** 7402B10E ******** 9CFF1E0A ******** BE03BFBE ....t............r...... 01B92100 ******** 010333DB ******** D29CFF1E ******** ..!.......3....3......_^ ******** 5B58C333 ******** 8ED0B800 ******** 1E50A14C ..ZY[X.3........|....P.L 00A30A7C ******** 0C7CA113 ******** 1304B106 ******** ...|.N...|...HH......... ******** 0E00A34C ******** 00B9BE01 ******** FFFCF3A4 ..|....L...N......|3.... 2EFF2E03 ******** C0CD130E ******** BB007C8B ******** ....|3............|..... ******** BA8000CD ******** 0E0800BA ******** 72200E07 ..u.......+.........r .. B80102BB ******** 00BA8000 ******** 33F6FCAD ******** ..............r.3...;.uO ******** 754933C9 ******** 81FA0603 ******** D2B90100 .;G.uI3.........t..3.... B809038B ******** FE037410 ******** 0E7409B2 ******** ....6.....t......t...... ******** BB00508E ******** 0432E4CD ******** 36070072 ......P....s.2.....:6..r CF32F6FE ******** 0700890E ******** 03BA8000 ******** .2....................r. ******** BE01B921 ******** 010333DB ******** **900000 .......!......3......... 00000000 00000000 00000000 00008001 01000103 11961100 ........................ 00000B28 00000000 01970503 D1AA1C28 000050D1 00000000 ...(...........(..P..... 00000000 00000000 00000000 00000000 00000000 00000000 ........................ 00000000 000055AA ......U. Do you want to save this MBR to A:\MBREPBR.REC? (Y/N) GETMBR not writing MBR to A: ----------------------------------------------------------------------------- This is what the NOINT virus looks like: GETMBR v2.0 - write Master Boot Record and Extended Partition Boot Records on C: to A:\MBREPBR.REC ...hold on while I reset your hard disk ...reading your Master Boot Record from C: A stealth MBR virus (or security monitor) is active, disable it and try again Hit Y and I'll show you what the -REAL- MBR looks like. EB3C908E D0BC007C 8BF45007 501FFBFC BF0006B9 0001F2A5 .<.....|..P.P........... ******** 00BEBE07 ******** 80740E80 ******** 83C610FE ...........<.t..<.u..... CB75EFCD ******** 4C028BEE ******** C08ED88B ******** .u......L......3........ ******** 4C0036A3 ******** 0036A30E ******** 36A3AB00 ....L.6....N.6......6... 4848A313 ******** E08EC036 ******** DA00A34C ******** HH.........6.......L...N ******** 161F33F6 ******** A436FF2E ******** 809F8CD0 ......3......6.......... 8EC0B801 ******** C2807411 ******** 80009C2E ******** .....3....t............. ******** 02B90300 ******** 2EFF1E0C ******** 80E86200 .................r....b. 33C08ED8 ******** BC000433 ******** D22EFF2E ******** 3..........3.3.3.......| ******** 80FC0275 ******** 00752983 ******** 51B90700 ...P...u9....u)...uQ... B801029C ******** 01597220 ******** 01581F55 ******** .........Yr ..&!.X.U...f ******** 1A0300C8 ******** 05E80A00 ******** 2EFF2E0C ..]........w....r.X..... 01005351 ******** BE0200B8 ******** 00BB0002 ******** ..SQRVW...............2. ******** 0C01730F ******** FF1E0C01 ******** EB5190BE ......s.3.......Nu...Q.. D6000E1F ******** 00027443 ******** 0302B93B ******** ......;...tC.......;.... ******** BE01B942 ******** 0103BB00 ******** B60180FA .......B................ 017605B9 ******** 9C2EFF1E ******** B8010333 ******** .v....2.......r....3.2.. ******** 1E0C0107 ******** 5BC3FCFC 00000000 00000000 ........_^ZY[........... 00000000 00000000 00000000 00008001 01000103 11961100 ........................ 00000B28 00000000 01970503 D1AA1C28 000050D1 00000000 ...(...........(..P..... 00000000 00000000 00000000 00000000 00000000 00000000 ........................ 00000000 000055AA ......U. ReBoot a clean system; run PUTMBR ----------------------------------------------------------------------------- This is what the STONED virus looks like: GETMBR v2.0 - write Master Boot Record and Extended Partition Boot Records on C: to A:\MBREPBR.REC ...hold on while I reset your hard disk ...reading your Master Boot Record from C: This is your MBR in Hex and Ascii, look for anything unusual. EA0500C0 07E99900 021A0300 C8E40080 9F007C00 001E5080 ..................|...P. ******** 80FC0473 ******** 0E33C08E ******** A8017503 ..r....s...u.3....?...u. E8070058 ******** 09005351 ******** BE0400B8 ******** ...X......SQR.VW........ ******** C98BD141 ******** 0900730E ******** FF1E0900 ...3...A......s.3....... 4E75E0EB ******** BF0002FC ******** 057506AD ******** Nu..5.3........;.u..;E.t ******** BB0002B1 ******** 2EFF1E09 ******** 010333DB !................r....3. B10133D2 ******** 09005F5E ******** C333C08E ******** ..3......._^.ZY[.3...... ******** A14C00A3 ******** 00A30B7C ******** 48A31304 ..|..L...|.N...|...HH... B106D3E0 ******** 7CB81500 ******** 064E00B9 ******** ........|....L...N...... ******** FCF3A42E ******** B80000CD ******** C0B80102 3................3...... BB007C2E ******** 00740BB9 ******** 00CD13EB ******** ..|..>...t..........I... ******** CD13723E ******** 04077512 ******** 1FAC0AC0 ......r>&..l..u......... 7408B40E ******** EBF30E07 ******** 0002B101 ******** t....................... ******** 1FBE0002 ******** 3B057511 ******** 750B2EC6 .r..........;.u..;E.u... 06080000 ******** 002EC606 ******** 0103BB00 ******** ........................ ******** 1372DF0E ******** BE03BFBE ******** F3A4B801 .....r............B..... 0333DBFE ******** C507596F ******** 43206973 ******** .3........Your PC is now ******** 6E656421 ******** 004C4547 ******** 45204D41 Stoned!.....LEGALISE MA 52494A55 ******** 00000000 00008001 01000103 11961100 RIJUANA!................ 00000B28 00000000 01970503 D1AA1C28 000050D1 00000000 ...(...........(..P..... 00000000 00000000 00000000 00000000 00000000 00000000 ........................ 00000000 000055AA ......U. Do you want to save this MBR to A:\MBREPBR.REC? (Y/N) GETMBR not writing MBR to A: ----------------------------------------------------------------------------- Please take the time to give me some feedback, good or bad. I would have no way of knowing if you find this of value if noone ever gave any feedback!! My intention is to make this of value, am I helping or hurting? Mike Lambert - 92-93 1153 Dublin Place Herndon, Va 22070 Fax 703-471-6214