Dell Lattitude D810
Windows xp (Dell install disk which came with the laptop is labelled as P/N UT993 and is XP SP2, but I have upgraded to SP3, but then did a windows repair back to SP2, and am in process of getting back to SP3)
I've been working on a virus that I can best describe as the helpassistant virus.
I believe that this virus altered the mbr.
I believe the only way to clean it up is to do a fixmbr in the recovery console.
However, I have read a few posts regarding Dell's use of an alternate implementation of the MBR. I have visited the goodell site ( http://www.goodells.net/dellrestore et al) and believe that using that technique, the computer is restored to the "delivery state", which I assume means that all of the data files and programs I installed would be obliterated. I would rather not have that.
Is there a webpage written by Dell that CLEARLY explains how to perform the equivalent of fixmbr? Or how to repair the boot area of the disk in Dell-world?
The Dell Restore Partition that you find described on Mr. Goodell's site was never implemented on the Latitude series so far as I know. This feature was limited to the machines sold out of the consumer division, while the Latitudes are considered business division machines.
If you delete the existing partition(s) as a part of your reinstallation you will rewrite the MBR by default. Even simply reformatting and installing Windows onto the newly formatted hard drive will at least modify the MBR. Anyone who has a computer that was delivered with the Windows XP PC Restore feature and chose to perform a manual installation of Windows found this out the hard way. After performing the manual installation, PC Restore no longer works because the act of installing Windows changes the MBR.
EDIT: With regard to a help page on FIXMBR, I would suggest going to support.microsoft.com and typing Windows XP FIXMBR in the search box at the top of the page. You will find that you need to install the Windows Recovery Console in order to use the command, and since you didn't install it when you initially installed Windows, you will have a couple of extra steps to perform. It turns out that you can't use a Windows XP SP2 CD to install the recovery console on a hard drive that has been updated to SP3, just as you can't use the SP2 CD to perform a repair install (at least not directly). I have probably not found everything on this subject, however, since I could have sworn that there was a way to use the command directly from the Windows installation CD. I didn't see anything like that in my search.
EDIT #2: Yep, found it. See this: http://support.microsoft.com/kb/314058
Dell Forum member since 2005
Thanks so much for this response ( and the edit).
Aside: I believe I already had the recovery console installed on this PC before I went to SP3.
I was able to log in to the recovery console (under SP3, but using the Dell disk), and then I started to use the fixmbr command. However, I got the following notice:
**caution** This computer appears to have a non-standard or invalid master boot record. FIXMBR may damage your partition tables if you proceed. This could cause all the partitions on the current hard disk to become inaccesible. If you are not having problems accessing your drive to not continue. Are you sure you want to write a new MBR?
>>>>>>>>>>>>>>>>>>>>>>>>.>> end paste
here is a guy who got it too: http://en.community.dell.com/forums/t/19266189.aspx?c=us&l=en&cs=19&s=dhs
So I chose not to use fixmbr, and then started investigating regarding the fixmbr command and Dell. No Dell Community posts seem to give a good explanation of what is going on.
I am wondering if this method below from goodells site might help me figure out if the mbr is a Dell MBR:
>>>>>>>>>>>>>>>>>>>>>>> begin paste
How the DSR Partition Boots All DSR versions boot by using MBR boot code that is new and customized by Dell. This Dell MBR does not affect the boot process when booting the Windows partition or the Utility partition--indeed, no special MBR is needed to boot either of those. However, the DSR partition cannot be booted without this new MBR. To reach the DSR partition, Ctrl+F11 must be pressed when the computer begins to boot. A normal MBR does not contain any provision for recognizing the Ctrl+F11 key combination, so would simply ignore the keys and boot normally. Dell's new MBR code, however, recognizes Ctrl+F11 and diverts the boot process to the DSR partition (typically, "PBR 3"). The Dell MBR displays a characteristic single blue line on a black screen during the boot process. A normal MBR will not show this blue line, so that is an indicator that can be used to tell whether or not your system has a functioning Dell MBR.
>>>>>>>>>>>>>>>>>>>.>> end paste
this should not be so confusing......................................
I found this link on the Dell website:
However, when following the link to the Drivers and Downloads page
( http://supportapj.dell.com/support/downloads/download.aspx?releaseid=R121517&formatcnt=1&libid=0&fileid=212557 )
the Compatibility dropdown identifies ONLY the following systems:
Is this true? There is no way to fix the MBR on my Latitude D810?
It took a bit to figure out what that file is for, and it appears to be a repair for Dell laptops using Media Direct. I don't believe your machine has that. Which brings me to the next question; if you use the fixmbr command you can lose track of partitions other than your boot partition. How many other partitions do you have? If you have only one partition to begin with, I don't see how using the fixmbr command will cause you a problem.
Thanks so much for the reply.
This laptop is just as it was recieved from Dell (configured by Dell). So I believe it has the special area that can be used to restore you to the delivered state somehow. I think it is accessed using Ctrl F12 at a particular time during boot-up. I believe microsoft's fixmbr command will replace Dell's "configuration" of the disk.
I used the MBRwizard and have the following data for the Dell Latitude D810:
*** mbrndx Type/name size active hide start sector sectors
0 0 DE-UNKNWN 62M No No 63 128,457
1 1 07-NTFS 76G Yes No 128,250 156,151,800
I checked two Dell Latitudes at work (D510 and D610) and their data looks like this:
0 0 DE-Dell 47M No No 63 96,327 (same for both)
1 1 07-NTFS 38G Yes No 96,390 78,027,705 (Latitude D510)
1 1 07-NTFS 57G Yes No 96,390 117,113,850 (Latitude D510)
Work Latitudes are equivalent (diff't size hard drives) , but compared to my D810, Type/name is different, size of the Dell "special area" is different. But, I don't konw enough about the MBR and Dell's modification of the hard disk configuration to make decisions regarding fixmbr. I am also wondering if the MBR is changed or the boot sector location is changed. I just don't have the right amount of knowledge yet.
Your latitude has two partitions; the first is a FAT partition that holds the diagnostics. That partition becomes active only if you press F12 during self test after you start or restart the computer. The second partition is your C: drive. You do not have a restore partition; if you did, you would have a third partition that would also be unknown, would be FAT32, and is active only if you use the CTRL-F11 hot key combination during the period that a blue stripe appears at the top of your screen.
This information would lead me to conclude that the thing that is making your boot record non-standard is the virus. I don't believe using fixmbr will cause you any trouble, and it shouldn't even affect the partition containing the diagnostic routines.
Thanks for your patience.
I don't really know a lot, but I will write as if I do. With fixmbr, I am replacing the mbr with a standard mbr. I've looked at a couple of other PCs and see that the mbr info from mbrwizard shows some program at sector 63, with some length, and then another sector starting at 63 + "some length", which contains the normal, useable space. When fixmbr is used, what actually gets replaced in the mbr? how will it find the 07-NTFS start sector, since the start sector seems different depending on the size of the 63 start sector?
I went thru some of these issues a couple weeks ago on a dell xps 720 which did have the 3 partitions that Jack shack talks about. (1. dell utilities, 2. c: drive, 3. a partion that restores back to factory settings). My issue was that there were bad sectors on the c: drive , it quicly deteriorated, and eventually the MBR was effected/corrupted. When i went thru steps to consider whether to use FixMBR, I think i got the same error response that you first posted ...and if i'm not mistaken it is a standard error response (I could be wrong though).
I too debated whether i should use Windows FixMBR ( which, to answer one of your last questions, i think, rewrites a brand new windows orignal MBR overtop of the old one on the c; drive).
The issue is that if the Dell MBR on a c: drive is at all proprietary / customized, then when you use windows FixMBR, the 3rd restore partion will never work again and this is why so many dell customers end up at the site that you mentioned (goodall ? or what ever his name is). He has created work arounds to the problem that gets created using fixMBR (and other things as well).
I think the reason Jack shack is saying its probably okay is because you do not have this 3rd partition that is on some Dell PC's
However, random problems can start to happen when you mess around with this MBR stuff. The pc of mine got so bad that it was unbootable completely (no F2, F12, ctrl F11, F8...just some black message about the PBR (must be related to the MBR). I couldn't find a solution and the drive was cleary on the way out anyway, i bought a new drive and reinstalled everything on it.
The Bottom line is that you can make a back up of your current MBR using a tool called MbrTool, you can get it HERE. When i eventually used FixMBR, my pc would not boot at all (black screen, i don't think there was even a message) ........ However, i had minutes before, used the MbrTool (which works from a bootable CD you create) and so i had a backup copy of my MBR (which it saves to a particular sector - so if you use it make sure you write down which sector it wrote to) ... i was at least able to get back to the state before i had run FixMBR.
Sorry for the long post - good luck.
p.s. when i was going thru my own messy MBR problems, I searched around hoping i could find a copy the same MBR somewhere on the net but had no luck. If i new someone with the same pc as mine i would have used that tool i mentioned above to copy it and put it on my pc. (the tool allows you to copy the mbr to a folder)
oh, while the pc is still seeing F2 bios or whatever gets you into the setting for changing the boot sequence, i would suggest changing NOW the settings to boot first from the CD/USB drive. That way if you have big problems after trying fixMBR, you can boot from cd's to trouble shoot. (you may have already done this of course)
pps. when FixMBR is used, and it works, you do not lose your data, like my documents etc.
Hey guys, thanks for all this information. I hope others can find this information useful.
I just did some major investigating, including disassembly of the MBR on good dells and my problem machine. Again, I am doing this because of the "HelpAssistant" virus, and I was pretty sure that the MBR was getting hijacked. I even found out that a verion of the original MBR is located on my hardrive under C:\windows\system32\dmadmin.exe at location 34E28hex and I disadssembled it to study it !! (BTW, absolutely no partition table data in there.) Way more information than I ever wanted to learn........
I located the goodells page that I had not seen before: http://www.goodells.net/dellrestore/fixmbr.htm
Don't know why I missed it, but it has a superb explanation on the problem And the site provides a tool to do the work. The problem with using fixmbr is that some of the MBR repair/replacement programs, such as fixmbr, will replace the entire block of 512 bytes, which includes the partition table. The goodells program mbrsaver lets you choose to only reinstall the boot code and not the partition table or the disk ID. (It is not clear about the English Language code, I am assuming that the code is set to English, but those three bytes could be changed later if needed) On Monday when I have access to a working Dell computer, I will capture the mbr using the mbrsaver program, and then restore it into my troubled PC.
I now know that it is important to go on every machine that I have and make a backup of the master boot record. I used MBR wizard (from the Ultimate Boot CD) to capture the MBRs that I am looking at now, but the MBRwizard might only restore the entire MBR including the partition table. The best solution seems to be to use the goodells tool.
In addition, for anyone else who has this problem, I would recommend the following tools/webpages that I used:
this webpage has an excellent description of the MBR, it really makes it clear with colored sections of the code corresponding to text descriptions.: http://thestarman.narod.ru/asm/mbr/Win2kmbr.htm
I also used the IDA Interactive Disassembler from www.datrescue.com to look at the MBR code that was corrupted.
I am going to post the beginning of the corrupted MBR just so people can see the difference. Unless you have done assembly language before, this will all look like gobble-d-guk, and I don't even know all of the op codes for the processor, but you can see from the good one that it is setting up at least one address at 7C00 which is a value that I read about in some descriptions. The bad MBR looks like it has a long jump command to a very high location in memory.
xor eax, eax mov ss, ax mov esp, 50FB7C00h pop es push eax pop ds cld mov esi, 1BBF7C1Bh push es push eax push edi mov ecx, 0A4F301E5h retf . . . . . . . . . . . .
xor eax, eax mov ds, ax mov es, ax mov ss, ax mov esp, 1ABE7C00h jl short near ptr 0FFFFFFCEh add [esi], al mov ecx, 575001E6h cld rep movsb retf . . . . . . . . . . .
An additional piece of very useful information:According to this excellent webpage: http://thestarman.narod.ru/asm/mbr/WTC.htma copy of the MBR is stored in a couple of different files on your PC. The page listed above identifies these files. Click on the appropriate link but pick YOUR operating system (different files for different operating systems and sometimes service packs. The CODE section is the only part that you would use to restore. In those copies identified in the link above, the CODE is the ONLY section that has data, but the disk ID bytes are ZEROED OUT and the partition section is ZEROED OUT. So make sure you only restore the CODE section ONLY when using a program such as MBRsaver from the goodells website.
Excellent last post. Thanks for the info. Something i always wondered was that....i think some programs that a user puts on their pc can make changes to the MBR (non-malicious of course)...e.g. Norton Ghost......i wondered what effect that would have on the usage of FixMBR at some later point. Would an installed program (like ghost) get all upset if the MBR goes back to a default windows factory value . I sort of suspect it would but don't know how bad it would effect operation e.g. booting.
BTW when i got my pc working again i ran out and bought acronis and had it do a 1) a c:drive backup and 2) a system folder and MBR backup. The things you learn on these forums....
EDIT: not wanting to change the direction of this informative thread but HERE is one success story on the removal of the virus and it involves using FixMBR as you have noted.
Thanks for the info.
Please note that the FixMBR example link that you provided is for a computer whose brand is not specified. I will assume it is not a Dell. I just don't want people thinking that fixMBR will work for a Dell.
I am putting an edit on my last post to include locations of the MBR code (not disk identifier nor Partition table) which could be on your hardrive in another file. This would be for the case in which you still can access your harddrive, but got the MBR code portion hacked.
I did use the mbrsaver program from the goodells website.
I took the code section of an MBR I got from another Dell Latitude (D610) that I obtained using the MBRwizard program (www.MBRwizard.com) and saved it as D610.mbr . (MBRwizard can read the MBR data from within windows, but mbrsaver cannot). I put that code on my USB flash drive. the filenames or extensions are not important.
I made a bootable CD using the iso file from the goodells site. The MBRsaver program gets installed automatically.
Put in my flash drive, put in the CD, and rebooted, making sure that the bios had selected to boot from CD first.
PC booted to the CD.
Interesting note: CD is identified as either drive A: or B: , but could not see any of the goodells files when doing a dir command. The USB drive was C: . Just for fun, I went through all the drive letter alphabet and R: was the only other one that was active, and that was where all the goodells programs showed up. So, I could not get access to the hard drive. HOWEVER, the MBRsaver program went to the hard drive . It was like magic.
Second interesting note: The version of DOS commands used on the goodells iso file ONLY like 8 character filenames with 3 character extensions. A real blast from the past.
I used the command MBRsaver /s c:\hacked.mbr to save the current hacked MBR from my hard drive and store it on my USB flash drive. And yes, it did magically find the hard drive. I did this in case the MBRsaver program did not work, or the Dell was configured weirdly, etc.
I used the dos command type c:\hacked.mbr just to see that something was there. Of course, it was just a short group of garbage text and symbol characters because it is a hex file and not a text file, but it made me feel good that it was stored. (I actually rebooted to windows to look at the file with a hex editor to make sure that the mbrsaver program actually saved the file in the same manner as the MBRwizard program.....and it did.) Then I rebooted with the CD and flash drive to continue.
I used the command MBRsaver /r c:\D610.mbr to take the Dell Latitude D610 MBR file from the flash drive (C:) and get it back onto the hard drive ("restore"). The MBR saver program will then ask you if you want to restore the code (select yes), the drive id (select NO), and then the partition table (select NO). Boom. It was done.
I removed the CD and the USB, then rebooted and my MBR worked perfectly. Including no more helpassistant virus (the cause of this whole investigation/learning experience). Partition table not affected. Disk ID not affected. Worked fine.
N.B. - You might be able to make a bootable USB drive and put all of the stuff on the flash drive, if you PC can boot from USB.
Hopfully this won't confuse people but that link i gave is to a generic (any pc) dos based tool called MBRTool (its freeware btw) that is used to make a backup copy of the master boot record (maybe its similar to MBR Wizard or some of the goodall tools but i don't think so although i've never used any of them?). I used MBRTools to make a copy of my MBR before i started to mess around with things. Thankfully i did that because i had to use its recovery option later and get my old (even if not working) MBR so that i could at least go a bit further in the booting proces i.e. so that i could at least see F2 F12 the dell blue logo line etc. If i hadn't made the backup with that tool i would have been completely out of luck becasue after using the windows xp recovery console to run the command FixMBR,,,all i got was a black screen with a flashing underscore symbol in the top left corner (as far as i can remember)....(i'll note again here becasue its critical, that if anyone uses the MBRTools make sure you write down the number it gives at the end for which sector it made the copy to.....if/when you restore, it asks for that info.)
I may as well do an edit here too.....when i said norton ghost will make a change to the MBR i should have said Norton GoBack will make a change to the MBR.....and to answer my own query about that .....i found out that when you go back to a default windows factory MBR using the windows command FixMBR, a program (like Norton GoBack in this example) will become inaccessible because of the new MBR (asssuming one can still boot into the windows OS after messing around).
I guess i bring this last point up becasue how can one be sure (unless its been validated somewhere/somehow) that the changes shown in the disasembled code are due to a virus and not due to a legit program ..... i think most securtiy software will change the MBR....?
Thanks for clarifying earlier in your posts that its not as simple as taking a MBR from a friends machine and puttng it on my dell xps 720 to have tried in solving my corrupted MBR at the time. as you noted the MBR is specific to a given drive and and certain numbers gotten from the drive (or something like that)...partition tables etc are not my thing but i do find facinating.
BTW i would not my self have gotton into any of this MBR stuff except that i had absolutely nothing to loose....the computer would not boot into or access c: windows no matter what i tried....hirens boot cd, macrium Part PE boot cd's, etc....in my case there was probably too much corruption on the disk.....in fact when i used it as a second drive later to see if i could recover anything, nothing could read the data from it eg.g. the windows os could see it but not read it, partition magic, several recovery software products etc...they all noted coruption in the data.....
Hey just saw your post......i think we were posting at the same time......that is amazing and you addressed some things i was wondering about, i think MI-5 could use your skills or James Bond or something.....Excellent.!!
It is a good idea for every computer user to use any legitimate program to save their MBR when they get their PC; one site half-jokingly recommends writing down the hex code on paper and storing it away.
In your array of tools, you should check out Ultimate Boot CD. It is an open source program that you can customize. It does use your windows xp disk, so you need that too. UBCD creates a RAM drive and loads a windows environment from the CD into you RAM. You could theoretically get your files off a compromized drive if your MBR code is corrupted. They give you tools to debug files and system and hardware problems, viruses and junk like that, and allows you to add your own favorite anti-malware programs.