News:

MASM32 SDK Description, downloads and other helpful links
MASM32.com New Forum Link
masmforum WebSite

Strange MBR changes

Started by sinsi, July 29, 2011, 07:11:35 AM

Previous topic - Next topic

sinsi

I have had 3 different computers to fix recently that blue screen with INACCESSIBLE_BOOT_DEVICE.
Usually this means a faulty HDD but in these cases a surface scan came back OK. Hooking the HDD up as an external,
disk management shows it as RAW. Now here's the weird thing, in all 3 cases the partition type in the MBR had changed
from 7 (NTFS) to 6 (FAT16). Surely Windows doesn't muck around with the MBR beyond reading it at boot?

Changing it to 7 with a hex editor restores it to life. Just wondering if this has happened to someone or if anyone knows what Windows does.
Light travels faster than sound, that's why some people seem bright until you hear them.

dedndave

you may have a root-kit virus in there
i use MbrWizard to make backup copies of the MBR's...

i see he is now charging $7 for the newer GUI version
http://mbrwizard.com/

but, i prefer the old command-line version (v 2)

the site is strangely constructed
1) start out at mbrwizard.com
2) click the Downloads catagory at the top of the page
3) click the Legacy catagory at the top of that page

don't bother trying to bookmark or link to the legacy page, directly - lol

FORTRANS

Hi,

   In my experience, only a boot manager, partitioning programs,
low level disk editors, weird experiments, and malware will muck
about with partition tables.  And three times in a row tends to
rule out a random event.  I guess I have to add in backup
programs as Dave mentioned, though I haven't personally seen
them modify the MBR.

Regards,

Steve N.

mineiro

Maybe some old floppie infected forgotten in drive and unfortunately bios setup to boot this device, fat 16 is a characteristic of this, maybe a pen drive used to boot itself(USB)?. Some old programs try to do a jmp to some of the last sector, generaly in non formated space to .... you know, so I'm supposing they have failed, because they don't understand ntfs.
Check bios firmware too, in principle if it is a flash bios or another type of writeable bios.
Think in memory too, if some program is loaded before O.S., they eat some memory space to brief(cheat?) the law, so future reports will say less memory than avaliable. A cmp betwen before and after show you this.
Another suposition, first sector being bad block, but in exactly 3 machines, hmm, I have discarted this hypothesis... .
And hardware problems and drivers problems i discarted too, only because this happened to 3 machines instantly.

sinsi

No viruses, no rootkits, that was my first thought. Standard MBR code, just corrupt by 1 bit in the partition table.
I fix around 15 computers a week, so 3 in a couple of months isn't that much but it is an unusual problem.
Light travels faster than sound, that's why some people seem bright until you hear them.

MichaelW

eschew obfuscation

sinsi

desktop, XP, Western Digital IDE
laptop, Vista, Hitachi SATA
laptop, Vista, Toshiba SATA

This happened last year but I just backed up data and formatted, this latest batch made me dig in a bit further.
I do love me a hex editor...
Light travels faster than sound, that's why some people seem bright until you hear them.

dedndave

perhaps it is the app you are using to backup or format   :bg

sinsi

?

I backed up then formatted because of the problem, now I can hex edit and fix it.
Light travels faster than sound, that's why some people seem bright until you hear them.

dedndave

my point is this....
you are having a problem on different machines that is somewhat uncommon
there is likely a common reason this is happening to you
that fact may help you find the culprit
somehow, the same thing is happening - it sounds to me like
1) you have a virus and are spreading it as you move apps to computers to work on
or
2) one of your apps has a bug - same deal - you are moving that code to the computer to work on it
(or perhaps it is happening if you temporarily stick the hard drive into your own machine)

that brings to mind a bug in MbrWizard   :bg
when you enter a type ID byte value on the command line, it always wants the "h" specifier for hex

vanjast

From type 7 NTFS to type 6 FAT is a single bit error.
It could be a 'consistent' random error on the drive itself... maybe the drive is a bit old
There are not any influential magnetic sources nearby ?

What happens if you reset it to 7 ?
:8)

MichaelW

Any random error getting past the drive's error detection/correction mechanism is unlikely, and a single-bit error is the least likely to do so.
eschew obfuscation

redskull

I've seen the phenomenon of NTFS randomly changing into "RAW" after mounting them in non-MS NTFS drivers (i.e. Linux dual-boots, live-CD's etc).
Strange women, lying in ponds, distributing swords, is no basis for a system of government

dedndave

random does not fly, here
he is talking about 3 different machines with totally different drives

Tedd

The common factor is likely to be human interference. Did they come directly to you with the very same problem, or did someone else work on them before you and then pass it on to you?
Otherwise, it would have to be some obscure software they have all used that modifies the MBR for whatever reason. If it was any of the standard windows tools, this would be a more common occurrence.
No snowflake in an avalanche feels responsible.