Boot sector virus

[mikeyp]

It's not my day... As you'll see from my other post I had no luck with and have had to ask for assistance aligning a floppy drive. Now I have had a recurrence of what I suspect is a boot sector virus. It has wiped out all standard files and folders from my MFM drive when I booted my IBM DOS 3.30 floppy. I need to re-image that silly thing. Any folders called DOS, APPS, DRIVERS, standardised files in the root all gone. I'm left just with command.com, spinrite.exe, a folder I called HDD and that's about it. Ok. Fine. Got my CF card that belongs in the XT. Checked the contents and backed it up. Plugged it in, missed the prompt to change the boot drive from the MFM drive, booted into DOS and that too has now lost most of its files in the same sort of pattern. The CF card also now won't boot which I'm guessing is an incompatibility with the virus boot sector and the CF card. Odd.

Before I wipe the whole machine and start over, does anyone want to take guesses as to what virus it might be and how we might confirm this? Could be fun...?

Edit: I used my greaseweazle to read the image from the IBM DOS 3.30 disk 1 and it's identical to the source image so I don't think that's the cause/source. I used HXD to compare the 2 images.

 

[Chuck(G)]

Did you manage to identify the exact virus? Some merely move the root directory and FATs.

 

[mikeyp]

Did you manage to identify the exact virus? Some merely move the root directory and FATs.

No. That's what I'm asking for help in figuring out.

 

[Chuck(G)]

If you can post an image (hex please) of the boot sector, we can probably identify what it is.

 

[mikeyp]

What debug commands would I need to run to pull it from the MFM drive? This is from HXD of the CF card.

 

[Chuck(G)]

C:\>DEBUG
-a80
0814:0080 mov ax,0201
0814:0083 mov bx,0100
0814:0086 mov cx,0001
0814:0089 mov dx,0080
0814:008C int 13
0814:008E mov bx,0
0814:0091 mov cx,200
0814:0094 int 3
0814:0095
-nmyboot.bin
-g=80
AX=0001  BX=0000  CX=0200  DX=0080  SP=FFFE  BP=0000  SI=0000  DI=0000
DS=0814  ES=0814  SS=0814  CS=0814  IP=0095   NV UP DI PL NZ NA PO NC
0814:0095 7563          JNZ     00FA
-w100
Writing 0200 bytes.
-q
C:\>

That will dump the MBR for the first hard disk. To get the partition boot sector for drive C:, the following will do

C:\>DEBUG
-l100 2 0 1
-n myboot.bin
-rbx 0
-rcx 200
-w100
Writing 0200 bytes.
-q
C:\>\

Hope I've got this right.

 

[MasawVx]

greetings!

if you suspect you have a virus you can try my antivirus called VCHECK I wrote years ago, it would run on 286+ machines

Public

Folder

1drv.ms

thanks