Alternative Corrective MBR Procedures

Why dont you download Free Download Manager here-it will increase your D/L speeds a lot

 

Is this what your looking for? http://www.softpedia.com/get/System/Boot-Manager-Disk/Super-Fdisk.shtml
It's an older version from 2004.

 

That seems to be shareware-the current version 2 is freeware and fully functional.

 

Yes, I just noticed that . The files size is also much smaller than the one at majorgeeks.

Sorry EASTER

 

No problem innerpeace

The programs are right here i think and i just need a way to do an instant replacement for both the MBR & Partition Table when i start to turn these sample MBR beasts loose to study their affects.

 

To get this working,download version 2 from the Major Geeks site(not authors).
There will be an ISO file which should be burned onto a CD/DVD.

From Operations ,select Backup Partitions Table.

The trick then is,as you have booted from Super Fdisk CD and want to backup the partition table to the floppy drive, you cannot backup it to drive A:,, because the drive A: is a virtual drive of CD.

You can backup partition table to drive B: (i.e. b:\disk.dat).

 

Hello,

I wonder why no one mentioned:

TestDisk
http://www.cgsecurity.org/wiki/TestDisk

Super Grub Disk
http://www.supergrubdisk.org/

Mrk

 

Yes, but I was talking of a solution to Easters main problem on recovery from Rootkits.

@Pete

Ok you had a RAID and you was trying to wipe it but due to a bad corrupt partition table it wouldn't let you. I remember you talking about a bug awhile ago. No software that you tried could make sense of it to wipe it? There was no data to save you just wanted to wipe it correct?

Could you not of turned off the RAID and booted off another XP hard drive and then wiped the drives in XP. The XP would see them as 2 non RAID drives and you could just use a wipe MBR utility over the first 128 sectors of each disk. Or you could of first tried installed the RAID driver on that seperate XP to see if it saw the RAID array and use a wipe utility that would of wiped the Partition Table. The utilitys would not try to make sense of the drives it would just treat them as non valid drives but still wipe them. Then when any software reads them again it sees them as valid drives which a new partition can be made and then formatted, you could then recreate the RAID. It doesn't seem so bad if you have the right utilities and a seperate XP. If you had any MBR and Partition Tables saved before you could restore them after you wiped it. Let me say that certain utilities don't try to make sense of the drives they treat them as dumb and can just wipe them.

Software that try's to read the partition table that if it is so corrupt either by MS bugs, Rootkits or whatever else that most recovery software goes ahhh i can't read this and falls flat gives up and crashes. This is the wrong software to use. A good wipe utility will solve it everytime.

Now if you had data to save of this RAID you could of booted off this spare XP or recovery CD and use a certain software like Active@ Undelete which handles recovery from RAID even without the RAID driver, all it needs to know which drives were in the RAID and would ignore any partition table corrupt or otherwise and just scan every sector of the drive for data. If the entire partition table and the MBR is wiped you can still get your data back. The reason this works is the software just needs to be told what filing system was there, NTFS etc. to work out the data stored.

No super rare Microsoft bugs or super scrambled Partition Table can beat a Wipe Utility run from a seperate storage device even if it happens to be RAID because certain utilities access the hardware at a low level and don't try to read what's on the drive and go ahead and wipe it which corrects anything. Any average software there after can read the disk normal again. Once you turn the RAID off you automatically breaking out of the RAID. I suspect the WD diagnostic util that you was sent was just a wipe utility to zero out ever sector on a disk like every hard drive manufacturer supplys.

We can improve on the solution to include this and the problem Easter presented initially but would need to be able to read different RAID and getting to see RAID in Dos is another matter so for this case it would have to be a windows recovery cd with RAID drivers built in but that would only be necessary if you wanted to save the data or have decent free recovery software that does RAID too, prefreably a non windows recovery cd. I wouldn't recommend a Windows cd to see a RAID with damaged PT as this tries to read the drive too much, resulting in crash.

 

Yes TestDisk is a good one but for a more automated approach i recommend MBRWiz the Dos version for backing up and restore of the MBR which incudes the partition table and also has the feature to wipe the first 63 sectors wiping any corrupt partition table. If you interested i can incorporate it into my recovery menu which incorporates Grub and includes Testdisk which is still ongoing for ease of use.

http://mbrwizard.com/download.shtml

I check out PTDD Superdisk.

The partition table is just 64 bytes of code from byte 446 to byte 509 of the MBR 512 bytes. So any program that can backup and restore sectors outside of Windows will do it! or just backup the entire MBR so it contains everything you need!

 

Thansk markymoo

I think it was either you or another member who made some mods to this app to include that very thing such as backing up and restoring the Partition Table and even Heads.

Some will argue and rightly so that any good backup program can handle that chore as well i know, and it's true but it should also be noted that a simple procedure like this one for example can be put together on a CD/Floppy, inserted and in no time flat an MBR/PT Table deformity or corruption from a malware attack can be resolved automatically in a matter of seconds too if not faster. Maybe no more efficient but at least faster then going thru the trouble of running your backup program and restoring an image.

Thanks everyone for really valuable and useful comments and comparisons, while i don't think at this point we have that much to concern ourselves about regarding this you cannever let your guard down and always good for you to have a quick and handy emergency plan if something like that did happen or even got past one of our reliable security defenses since it can happen and does.

 

markymoo

Can you reupload this again: It was a fine addition you made for MBRwhiskey as MBRwiz but the "file is expired". At the time it was deeply discussed regarding mostly alternative measures to making backups by apps like DriveSnapshot and attempts to preserve ISR images. A really informative and engaging topic to say the least.

https://www.wilderssecurity.com/showpost.php?p=1121328&postcount=121

 

@Hairy Coo
I checked out Super Fdisk and even though it has a Gui theres no option to backup, restore the MBR only erase it so it be no good repariing your system after an infection from MBR rootkit. You would need to use extra util to do the restore, might as well use a util that does all in one. Nice find still.
@All You can download the freeware version here if you want to check out. http://www.tucows.com/preview/361621

 

markymoo,

It does backup and restore the partition table,-Ive backed it up quite simply,just press a button-and had assumed that this table included the MBR code.
Are you sure it doesnt include the MBR?
It would be strange if it didnt after all the claims and user ratings.

See my post 31-floppy drive path has to be changed from A to B and its functional.

That download from Tucows mentions version 1-which in fact is crippled trialware.
Freeware version 2 d/l from a MG link only herel

edit;That MBR Wizard looks good but is command line only -no GUI,which would help a lot of users.
It seems SuperFdisk is the only one with a GUI.

 

Thanks

Thats what i been trying to say all along

 

Thats why i was recommending a simple Dos solution and automated way for speed. MBRWhisky would have to be run from a Windows Recovery Cd but here is the modified version again.

http://artco.adsl24.co.uk/markymoo/mbrwhisky.rar

 

Ok i just checked it again on your knowledge and yes you right!! it does backup the entire MBR and not just the Partition Table. Sorry, I went on the description of it backing up the Partition Table which is not the MBR strictly thats why i dismissed it. All other programs list Partition Table as one option and backup of the MBR as another. This program is a 1 off and so is misleading. I opened up the iso and copied the files to a bootable floppy and tested it out with MS Virtual Pc and a floppy drive and it works good it backs up all 512 bytes. So big apologies!

I did actually use the version from Tucows and don't get why you say its crippled. It came with the iso. The EaseUS is crippled which is something else and not v.1. I tried all the links The last one works . If it version 1.0 it won't be crippled. It says v.1 PTDD in the program so it freeware right? You can't download it from there site so if it v.1 its free. whats crippled about it if i can backup to the floppy?

There is one snag i see with Super Disk though and that is if you changed your partition sizes sometime in the future after backing up and you need to restore the MBR backup and you forgetten you changed your partition then it will overwrite your new Partition Tables with old and corrupt your data! It's all well and good if you never change your partition sizes. A utility that just repairs the MBR and not touch the Partition Table is far safer which is what FIXMBR does from the recovery console. A freeware MBR backup and restore is rare that is a GUI so well done.

 

markymoo,

The tucows download specifies version 1-which originally was DOS shareware (See post 27-Softpedia and the developers site)and according to one user dug up by Easter in post 23-crippled.
However,in fact,Tucows downloads the freeware,as you said.
Agree the GUI says version 1-cant find my reference to vers 2-so you could be right -this is version 1 model 2 or something.

As I said in posts 17 and 24,Major Geeks have the same d/l. as Tucows.
However all this- where its downloaded from and what its called shouldnt become the issue,the issue is the app itself!!


Many thanks for taking the time to test-so it works well

What appealed to me was its simplicity-did a partition hide-disk surface test and table backup-all just a button press on the GUI

Surely this applies to ALL backup apps,except those on a schedule or auto.

 

More federation treachery (Smiles)

I also redownloaded it TuCows since it's confirmed version 1.0 and apologize for rebuting, and it's really no ones fault but the manner in which developers/authors distribute their various shares, additional clarifications would be helpful if they only make use of them more often and not just say to file services, here, post this one and this vague info.

 

Yes Superdisk is light and does the job but I will do some testing. You wonder why you can't download it from PTDD. It makes you wonder is there problems with it or has it simply gone out of date? I would check it shows your partitions correctly and does it work with big drives. On a restore of the MBR will it detect any existing partitions and just restore the MBR first 440 bytes or will it restore 512 bytes ruining your partition and data. It looks simple l hope it smart enough.

@Easter - send out the Vipers

 

Just carried out a test on C drive, with Super FDisk.

Using a recovery CD,started into the GUI

Backed up the partition tables to a floppy-then erased the MBR,which also wipes out any partitions.

Rebooted as requested and instead of an "NTLDR or OS is missing" window coming up,the Super Fdisk GUI was there ,asking to restore,nice touch-the CD wasnt present.

The partition tables,which had been saved on the floppy,restored the MBR without problems-everything is working fine as before.

Dont know how it would perform with any type of RAID,as mentioned by Peter,or multiple partitions,or more rigorous testing,both which markymoo queried.

 

markymoo,
just trying MBR Whisky/Wiz-does look great with a lot more details-good job!
But how do you retrieve the dat file-are you supposed to d/l it to a floppy and do the restore by DOS?
edit; can see now-your post 40 mentions a recovery CD-also I see its a plug in for Bart

 

Yes it works ok for me too but i never got that message on reboot after erasing it, restore went fine. It didn't work with my keyboard though, maybe because my dos disk startup was bare. It even sees my RAID partition. It also backs up the Extended MBR so it be good for Boot Managers. Running it from CD you would need a floppy or USB to backup so it more suited to USB to be able to save the backup, plus alot less have floppy now. I still think it is heavy handed approach to erase the PT just to fix the MBR though. You come to restore your MBR 6 months down the line and forget you have a new partition. If you keep the same partition then it fine to use. Ideally you just want a no thinking restore ran from a bat file. I have looked around and all the good MBR utils backup the entire MBR not less. If there was ever a util needed not just rely on FIXMBR it's long overdue. I will come up with something. Incidentally GPartEd that Easter brought to Wilder's attention works, but have to type alot on the command line.

Mbrwhisky - There is no dat file needed, the dat file is the extension to the name of the file you decide to save. You can load a saved dat file back in. You need MBRWiz in the same folder that's it. I changed 1 option not many which save the entire HEAD 63 sectors which is useful, which is sector 0 to 62, this ensures backup of any Extended MBR, Boot Managers. This wouldn't backup the boot sector to the partition though. The NTFS Boot sector starts at 63 and the NTFS Master File Table ends at sector 125 so wiping sectors 0 to 128 makes it very hard to recover data. You have to do a very long scan, it also good to do for problem drives not reporting correctly. Sectors 1 to 62 are usually empty so that gives 32K of room for rootkits to live there . Certain rootkits declare a standard MBR when you read it from within Windows.

I don't think we seen the last of MBR Rootkits because there's only a handful of anti-rootkit software that can stop writing there and even less software detects that's anything there. I can run a dos util from XP and it write to MBR with no question even with certain a-v installed and with Vista most turn off UAC. The majority of users out there are not running software such as GMER. I have read a white paper that alters Grub to store a rootkit. Grub is stored over the first 15 sectors

It's one more reason to take regular backups or take differential every day and don't surf without Sandboxie and use X64 Windows.

 

Just the news i was looking for, thansk Hairy Coo for your testing and the results look very promising because i agree with markymoo, we have not seen the last of MBR destructive activities via trojans/viruses yet and this is a key componant to effect a very orderly and precise recovery as an alternative.

 

Easter,

There seems only to be 4 dedicated apps with GUIs for MBRs-they are SuperFDisk- Partition Table Doctor-FixMBR and of course markymoos Whisky!(very nice)

Partition Table Doctor is almost identical to SuperFDisk,except it has a couple of extra functions-such as rebuild MBR.

It is no longer strictly freeware,so otherwise you can get it is as part of Hirens download here--I think as an ISO file for the lot.

FixMBR is available here,but you have to figure out how to make the GUI operable,which I couldnt.

Otherwise you can get it as part of the UBCD4Win download here,which has it with the GUI working-very nice.

Incidentally,UBCD4Win also has about 10 DOS apps for the same purpose,but personally I find these slow,error prone and confusing

 

markymoo,

Well,MBR Whisky does seem the only one with a GUI that has this capability.

Guess down the line errors could occur if all the tables had been backed up and you just forget-which isnt difficult with computers, plus I suppose the more you back up and restore,the more room for errors

So really Whisky seems to me to have all the bases covered.

That rootkit problem is one I have never encountered.
As SP backups the MBR and partition tables,have never given much thought to it.