mbr manipulation

[paulywauly]

Is there a tool in fedora that can be used to do a physical inventory of the mbr section of the harddrive that my install of fedora is on so that i can take off all the physical attributes of the files in it and then do a re write of the mbr section

[Doug G]

It sounds like you want to repartition your disk. You can use programs like dd to take an image copy of the partition, tools like tar to do a backup of the files on the partition, tools like parted and gparted to manipulate the partitions.

[paulywauly]

Im thinking that the mbr has been severly compromised and malicious code has been put into the mbr so if i took an image of it and reloaded it id only be putting the same malicious stuff back in

my guess is that whatever has been put in has gotten hidden attributes onit so first of all the attributes would have to be dropped second id like to view all the files and try and trace back excactly whats going on and my guess is ill find some kind of file thats sends out info to an outside source or the remanats of that file and that would be what slows my system down now

its not really priority but having this problem ive run into it as well with several other peoples machines

i have tried using the windows xp cd and going into repair mode and taking out all the attributes but when i execute it says there was some kind of problem and it couldnt be done

think what i really need is a program that will show all the files then let you manipulate them ie take off attributes at least and then trackk down functioning then delete them all and rebuild an mbr

---------- Post added at 01:42 PM ---------- Previous post was at 01:42 PM ----------

what is dd is that a fedora tool and whats the apprebeviated for??

[jpollard]

An MBR is only one block long.

There are no "files" in an MBR. It is not a filesystem.

That said, it DOES have block numbers that refer to additional blocks that are needed to complete a boot program. Moving the data blocks via repartitioning/replacement means the block numbers are no longer valid... and the MBR must be replaced before a reboot will be successful.

[DBelton]

Chances are, if there is a problem with your MBR, you wouldn't be able to boot at all from that drive.

It sounds to me like you would be much better off grabbing a anti-virus boot CD and running it on the drive. Also grab one of the spyware scanners as well, boot off a CD and run it on the drive.

Unless you REALLY know what you are doing, I advise against any type of manual manipulation of your MBR. You could easily make it where you can't get any of your data off of the drive.

[paulywauly]

well heres the thing when i first tried to get fedora 16 loaded and onto the hard drive it would go to the partitioning portion and when attempting to use the whole disc for fedora it would report some non specific error so i then tried loading a copy of windows xp and it had no problem whatsoever doing that so

I also noticed when windows recognized the hard drive it had claimed the hard drive was 96 gig s not 80

i then left the copy of windows on it and started up the fedora

fedora claimed it was an 80 gig hard drive i then shrank the loaded partition down as far as i could with windows on the front and loaded fedora without an issue and everything went well till i tried updating fedora it did update and took about two days of crawling to get all the updates done

ok so i went back in again and did another clean install of fedora 16 but this time i used the encryption method for encrypting the disc well i was able to get all updates and installed them with in an hr it seemed like encrypting had caused something to keep it from going so slow

Ok so after all is done I am having problems with the cdrom not working corectly with the amarok program which i posted under the software section of this site

ok so after the system has been online for past 3 days it is now down to a slow crawl again and all kinds of random applications and things just start popping up for no reason and just off the wall weird stuff so my guess is something is written into the front section of the hard drive where the mbr resides that is either under hidden atrributes or whatever

i could never get the machine to boot from a usb stick as well it would allways say boot error


Oh and the bios has been flashed with all the latest updates??

---------- Post added at 11:24 PM ---------- Previous post was at 11:18 PM ----------

what i guess i really need is the right tool for the job something to wipe out everything on the hard drive including the mbr and puttin a new one in and

I have tried to use the windows xp disc and going into repair mode and when trying to do a full mbr wipe out and reinstall it comes up with some non specific error about not finding the hard drive

i have also tried using the windows above tool to take off all the attributes before attempting all this and it just gives the same error non specific that it cant find the hard drive lol

[DBelton]

I don't really see how a bad MBR could cause the issues you have said you encountered.

Like I said above. Chances are if something messed up the MBR, you probably wouldn't even be able to boot.

My first thought is a heat or hardware problem. I would check the temp on your CPU and also run memtest and see if you have a memory problem.

Also, you could have a hard drive going bad or a bad cable. Check those out as well.

[paulywauly]

have done the memory test all is good there

have also put a new hard drive cable in just to be sure


But as far as mbr from what i understand most viruses are now being put into the mbr so that when and if you try and reload windows because it gets trashed it send the virus right out to the new installation as well and i have seen this before i have reloaded alot of friends pcs and had this happen

But like i say id rather have the knowledge so that whatever reason i can make sure and be paranoid and wipe the drive out completly and make a new mbr just to be safe

hey why not start out on a good note specially if you never can tell that and its a pain in the arse to go through the whole process and lose data

[stevea]

I don't think there is a lot of deductive reasoning in claiming that the MBR is at fault for your problem, and additionally to seem confused about wht the MBR really is.

You can do what you want manually - copy and save all the partition info (using fdisk or gdisk) and then wipe the MBR and related blocks with dd if=/dev/zero .... then reconstruct a good mbr with fdisk, gdisk, gparted.

I would NOT advise anyone to do this unless they are very very sure the MBR is corrupted, and they have good familiarity with the tools.

It is a reasonable practice to save a copy of the first 64 blocks of the disk into a file (on another disk) so you can later compare with 'cmp' and reconstruct the partition tbl in case of failure.

[george_toolan]

You should really check your hdd:

Code:

smartctl -a /dev/sda

or if this is an old ide drive

Code:

smartctl -a /dev/hda

Then run a self test on the drive

Code:

smartctl -t long /dev/sda

This will take a couple of hours since it's trying to read all sectors on that drive.

If the self test doesn't complete without an error your drive is probably broken.

Wiping the drive should be easy. Just boot off a live cd and use fdisk to create a new partition table. This will delete all files on that drive!

[DBelton]

Quote:

Originally Posted by paulywauly

have done the memory test all is good there

have also put a new hard drive cable in just to be sure


But as far as mbr from what i understand most viruses are now being put into the mbr so that when and if you try and reload windows because it gets trashed it send the virus right out to the new installation as well and i have seen this before i have reloaded alot of friends pcs and had this happen

But like i say id rather have the knowledge so that whatever reason i can make sure and be paranoid and wipe the drive out completly and make a new mbr just to be safe

hey why not start out on a good note specially if you never can tell that and its a pain in the arse to go through the whole process and lose data

Well, did you try telling it to fix the MBR and boot sector when you boot your Windows rescue console?

Boot from your Windows CD, select to run recovery console

Then follow the instructions that Microsoft provides:

Quote:

FIXBOOT
fixboot drive name:
Use this command to write the new Windows boot sector code on the system partition. In the command syntax, drive name is the drive letter where the boot sector will be written. This command fixes damage in the Windows boot sector. This command overrides the default setting, which writes to the system boot partition. The fixboot command is supported only on x86-based computers.
FIXMBR
fixmbr device name
Use this command to repair the MBR of the boot partition. In the command syntax, device name is an optional device name that specifies the device that requires a new MBR. Use this command if a virus has damaged the MBR and Windows cannot start.

Warning This command can damage your partition tables if a virus is present or if a hardware problem exists. If you use this command, you may create inaccessible partitions. We recommend that you run antivirus software before you use this command.

You can obtain the device name from the output of the map command. If you do not specify a device name, the MBR of the boot device is repaired, for example:
fixmbr \device\harddisk2
If the fixmbr command detects an invalid or non-standard partition table signature, fixmbr command prompts you for permission before it rewrites the MBR. The fixmbr command is supported only on x86-based computers.

[stevea]

None of the symptoms sound the least bit like an MBR error. Typical victim of 'Dr.House' (diagnosis base on little or no evidence).

The idea of running smartctl diagnostics is not warranted at this time - but it's simple, cheap and eliminates a possible HW cause.
Same with memtest

If the system runs slowly then the place to start is by examining what is running and eating up performance.
I don't buy the OPs story that a mysterious bevy of apps run all on their own due to malware. More likely he doesn't understand all the kernel threads and services and cron jobs.

When the system is slow, run
free
htop

and indicate the results. Post the entire output of free ,and an yprocesses using mych CPU in 'htop'. Is your system swapping ? and/or What process is hogging the CPU ? are the two critical questions.

Until we know that there isn't enough info to diagnose.

---------- Post added at 10:39 AM ---------- Previous post was at 10:13 AM ----------

The MBR has no files and the only 'attributes' are things like wither a partition is bootable or the partition type.
The fact that your first install of Fedora took forever to update might have been diagnosed at the time - but not after a reinstall - so that's nearly pointless history.
The speed of a fedora yum update is NOT enhanced by an encrypted filesystem.


80G vs 96BG is a real and testable issue.
As root this command will show the hardware addressible sectors according to the disk controller
hdparm -I /dev/sda| grep "LBA "
and this will show what is in the written disk geometry ...
fdisk -l /dev/sda | grep total


I get numbers like ....

Quote:

LBA user addressable sectors: 234441648

Quote:

255 heads, 63 sectors/track, 14593 cylinders, total 234441648 sectors

which should match.

[paulywauly]

cool ill do all the above mentioned things just so i can get familiar with it all

and yes i did mention the fact that i tried putting in the windows xp disc and running the tools to do an mbr repair but as i said in my post it would report it couldnt find the disc that i was trying to do the repair on yet it would list the disc

I am using the disc now with kde 16 fedora todo these psotings

Id rather be very familiar with it all and infact if i ever work on someones sytem reloading anything just to cover all bases id rather start out on a good note knowing that the mbr has been wiped and a new one installed

Ill start at the top and as i do the suggested things i will give detail and report as i go ty all

[DBelton]

did you install Fedora 16 on the drive, and used the entire drive for it? IF so, then it probably doesn't have a MBR. Fedora 16 defaulted to using GPT instead of MBR.

[paulywauly]

no when i tried using the whole drive for fedora 16 it wouldnt go thru the process of writing to the hard drive said some non specific error

It would only write to the drive if i installed windows xp at the drint of the drive and then shrank the partition down to miniimal then installled fed 16 and it was fine