Here is an interesting problem:
Two weeks ago my wife's computer (P-II 300MHz 162MB Win98SE) got a NAV2003 alert window - Master Boot Record has been changed. Options were to do nothing, restore MBR, or save current MBR as new standard. Chose #2 - Restore MBR. Got same alert - tried again - nothing. Disk became unbootable - Norton can't access it, Gibson Research SPinRIte can't access it, acts like the disk had a hardware failure. Maybe. Disk returned to supplier for replacement.
Now THIS computer (P-III 1GHz 384MB WinME) is getting the same alert box - this time DID NOT accept offer to restore MBR. Computer still boots & operates OK. NAV2003 with latest 01/04/03 updates does not find a virus, but this activity sure sounds like a virus.
I can't get in touch with Norton until tomorrow - closed on weekends - and I don't know how long it will take them to respond when I do, so I thought to try here. I got some very good help here last year, when my TCP/IP stack was corrupted.
Anyone ever seen this one? Is it a known virus? Or What?
Any ideas cheerfully accepted,
Roy J. Gromlich
Norton AntiVirus 2003 "ERROR"?
I'm still using Norton 2000 but what you describe is either,
1. Hard drive failure
2. Something was added to the system to change the boot record.
3.Virus
You've hit all areas that it can be. Have you tried running system file checker and see if anything is coming up corrupted or changed? It's really hard to say what's causing it. You may want to wait for Symantecs reply, but that could be a few days as you know.
I would think that if it's a virus, it would have picked it off immediately. Sorry I'm not more help here.
1. Hard drive failure
2. Something was added to the system to change the boot record.
3.Virus
You've hit all areas that it can be. Have you tried running system file checker and see if anything is coming up corrupted or changed? It's really hard to say what's causing it. You may want to wait for Symantecs reply, but that could be a few days as you know.
I would think that if it's a virus, it would have picked it off immediately. Sorry I'm not more help here.
I am at a loss here ---
1 - hard drive failure WOULD be the most likely, except that in the case of my 2nd computer, the hard drive is working just fine
2 - Nothing (hardware) was added to the system in EITHER computer. As far as I know, SOFTWARE should not effect the MBR at all - I can't think of any reason why it should. The MBR describes the HD and the operating system - nothing else.
3 - I have heard of viruses which try to disable anti-virus software, though I have never heard which ones actually do that. I suppose if you can disable the AV software you could make it actually do damage to the system, but that would be QUITE and exploit and I should think it would be plastered all over the Internet.
I guess I will have to wait for Norton to reply.
Roy
1 - hard drive failure WOULD be the most likely, except that in the case of my 2nd computer, the hard drive is working just fine
2 - Nothing (hardware) was added to the system in EITHER computer. As far as I know, SOFTWARE should not effect the MBR at all - I can't think of any reason why it should. The MBR describes the HD and the operating system - nothing else.
3 - I have heard of viruses which try to disable anti-virus software, though I have never heard which ones actually do that. I suppose if you can disable the AV software you could make it actually do damage to the system, but that would be QUITE and exploit and I should think it would be plastered all over the Internet.
I guess I will have to wait for Norton to reply.
Roy
I have actually seen 2 viruses disable Norton or McAffee anti virus. Klez, and BugBear. If either of those 2 viruses got into a system BEFORE the updates to Norton were applied, they would disable Norton/McAffee. Though at times Norton appears normal.
I've seen systems reboot, and Norton starts up, even leaving an icon in the system tray, then abruptly closing.
One way to ensure viruses don't attack the MBR is to enable virus protection in the BIOS/CMOS setup. And while in there it's a good idea to disable flashing of the BIOS as well. (Enable those ONLY when you yourself are about to either rewrite the MBR, or flash your BIOS.
Norton's website has info on these viruses, and tools to remove them, along with instructions for each OS.
I've seen systems reboot, and Norton starts up, even leaving an icon in the system tray, then abruptly closing.
One way to ensure viruses don't attack the MBR is to enable virus protection in the BIOS/CMOS setup. And while in there it's a good idea to disable flashing of the BIOS as well. (Enable those ONLY when you yourself are about to either rewrite the MBR, or flash your BIOS.
Norton's website has info on these viruses, and tools to remove them, along with instructions for each OS.
Now that IS interesting - I did have a Klez variant on both of these computers, but that was months ago, and these systems have been decalared clear by Norton's Klez remover. I never had Bugbear - ran the Norton BB remover. but nothing was found.
I suppose this could be a residual from the Klez infection - until the HD on my wife's computer went bellyup BOTH machines were normal. I have to wonder though - the HD in my wife's machine was only one week old when it "failed" - or was killed. It was cloned (DiskCopy) from the HD that was in there for several years - including the Klez interval.
This computer is only 5 months old, and has the drive it came with - including the Klez attack. However, the close timing of both alerts - basically 10 days apart - makes me wonder.
Roy
I suppose this could be a residual from the Klez infection - until the HD on my wife's computer went bellyup BOTH machines were normal. I have to wonder though - the HD in my wife's machine was only one week old when it "failed" - or was killed. It was cloned (DiskCopy) from the HD that was in there for several years - including the Klez interval.
This computer is only 5 months old, and has the drive it came with - including the Klez attack. However, the close timing of both alerts - basically 10 days apart - makes me wonder.
Roy
Hmmmmmm
THis is interesting.....
I have a question for you norm.... would fdisk /mbr clean the Master Boot Record, after booting with a CLEAN WRITE PROTECTED floppy?
This is going to the DOS world, bypassing any Windows OS.
Also this assumes that the buggers have changed his MBR or infested the MBR.
Just my thought process at work here.
THis is interesting.....
I have a question for you norm.... would fdisk /mbr clean the Master Boot Record, after booting with a CLEAN WRITE PROTECTED floppy?
This is going to the DOS world, bypassing any Windows OS.
Also this assumes that the buggers have changed his MBR or infested the MBR.
Just my thought process at work here.
A man with a watch knows what time it is. A man with two watches is never sure.
Originally posted by fredra
Just my thought process at work here.
8:25 a.m. and already Fredra is thinking.
It's too early for that, go back to bed. 
Actually, that should work, though I've never tried it myself. Whenever that screen appears to me and I've made no changes, I fdisk and start over. The very first virus I had that went undetected (My stupidity at the time for not updating definitions) nearly had me getting another hard drive.
from the Norton Knowledge Base
OK everyone - here is what I found in the Norton Knowledge Base on this situation - Master Boot Record Changed.
It seems that NAV can pick up SOMETHING that it thinks is an MBR change - Norton did not say WHAT was being picked up. THey tell you to use the RESTORE MBR function (#2) -- ONLY -- if you are CERTAIN that a virus has been at work. If you restore the MBR and a virus was NOT at work you can render your disk unbootable. There recommended action is to do nothing, update your virus definitions, run a full scan and if no viruses are found to tell NAV to update IT'S copy of the MBR.
FINE - now they tell me. Unfortunately that information is NOT included in the alert box. I left them a message suggesting that that information be included in the alert window that pops up.
After all, it is a nice RED window that suggests that a virus is at work, so how is one supposed to know differently?
I have to tell you, I did hesitate for quite a while before doing that restore MBR - I wish I had followed my instincts there and skipped it entirely.
Give Norton one big BLACK mark.
And DO NOT select Restore MBR.
Roy J. Gromlich
BTW - I don't know if the fdisk /MBR command would have worked - I was tempted to try it before I pushed Norton's button. Wish I had.
It seems that NAV can pick up SOMETHING that it thinks is an MBR change - Norton did not say WHAT was being picked up. THey tell you to use the RESTORE MBR function (#2) -- ONLY -- if you are CERTAIN that a virus has been at work. If you restore the MBR and a virus was NOT at work you can render your disk unbootable. There recommended action is to do nothing, update your virus definitions, run a full scan and if no viruses are found to tell NAV to update IT'S copy of the MBR.
FINE - now they tell me. Unfortunately that information is NOT included in the alert box. I left them a message suggesting that that information be included in the alert window that pops up.
After all, it is a nice RED window that suggests that a virus is at work, so how is one supposed to know differently?
I have to tell you, I did hesitate for quite a while before doing that restore MBR - I wish I had followed my instincts there and skipped it entirely.
Give Norton one big BLACK mark.
And DO NOT select Restore MBR.
Roy J. Gromlich
BTW - I don't know if the fdisk /MBR command would have worked - I was tempted to try it before I pushed Norton's button. Wish I had.
Thanks for the reply, I was wondering if it was a glitch with Norton. Personally, even though others swear by Norton, I wouldn't put in my machines, and have in many cases been asked to remove it from the machines of my clients. It has caused other problems as well.
Fdisk /mbr only rewrites a mbr that it sees as corrupt from what I've read. Also. I'm not sure if a 98 mbr is the same as a 2K or XP mbr. Probably is identical, but it's something I haven't looked into as yet. I have halted most testing due to lack of parts. Had to sell the ram that was in my test machine.
Fdisk /mbr only rewrites a mbr that it sees as corrupt from what I've read. Also. I'm not sure if a 98 mbr is the same as a 2K or XP mbr. Probably is identical, but it's something I haven't looked into as yet. I have halted most testing due to lack of parts. Had to sell the ram that was in my test machine.
Nice to know... Also be advised that Sysmantec wont give any free support on the phone even if you bought the product that day, they say it is all on the web, and they expect everyone to be able to find it. I suppose other companies do or will do this eventually, but it would be nice to have all the bugs worked out before that.
Never take any crap off an inanimate object!!
Never send email to this address: spam@euclidian.com. This is a spam trap and everyone sending any email to this address will be blacklisted.
Never send email to this address: spam@euclidian.com. This is a spam trap and everyone sending any email to this address will be blacklisted.
I lost faith in Norton shortly after Sysmantec bought the name.
My boss' new 2003 internet security was boxed back up and about out the door when I opened my mouth and said Id fix it. Easy fix for someone familiar, but I should have let him take it back.
My boss' new 2003 internet security was boxed back up and about out the door when I opened my mouth and said Id fix it. Easy fix for someone familiar, but I should have let him take it back.
Never take any crap off an inanimate object!!
Never send email to this address: spam@euclidian.com. This is a spam trap and everyone sending any email to this address will be blacklisted.
Never send email to this address: spam@euclidian.com. This is a spam trap and everyone sending any email to this address will be blacklisted.