5 Replies Latest reply on Mar 3, 2010 7:28 PM by SafeBoot

    Missing OS epidemic

      Hello,

       

      I am suddenly seeing a ton of "Missing OS" errors at boot time.  Just in the past two weeks, I'm getting an average of 10 per day.  I have EEPC 5.1.8 installed on roughly 20,000 endpoints.  I'm dying over here!  Please help with the following:

       

      1.  Does anyone know what might be causing this?

      2. Does anyone know how I can gracefully repair?

       

      Other relevant details:  Looks like sector 0 is being completely overwritten by something.  Attempts to restore the SafeBoot MBR or the original MBR result in "SafeBoot not activated" errors.  Currently forcing decryption, saving data and reimaging, but that is a bear of a process for my support staff.

       

      In the process of upgrading to 5.2.3, but not there yet.

        • 1. Re: Missing OS epidemic

          Do you get error about missing OS before or after pre-boot screen?

          If before pre-boot, can you dump MBR hex to a file and post it?

           

           

          Message was edited by: peter_eepc on 3/3/10 3:02:54 PM EST
          • 2. Re: Missing OS epidemic

            Before.  Booting into a tainted machine now with Wintech to get the MBR...

            • 3. Re: Missing OS epidemic

              Here is one.  This is from a Lenovo T61P with a 160 GB SATA drive.  Working fine up until yesterday.  User cannot (or will not) identify any changes to the system.

              • 4. Re: Missing OS epidemic

                SafeBoot MBR has been overwritten, that is confirmed. Now you need to find a culprit. Maybe recent MBR warm?

                http://www.eset.eu/press-computer-worldwide-targetted-by-MBR-Worm

                or similar....

                • 5. Re: Missing OS epidemic

                  I can't identify this one at all - not even close to anything in my database. Interesting partition table though?

                   

                   

                  DECOMPILE MBR:
                  
                  --------------------------------------------------------------------------------
                  440 Bytes of code: ( Identity: W7 from VMWare (From Simon Hunt)-42.22%
                  XP Standard MBR (From Simon Hunt)-52.08% Vista 32  from Simon Hunt-42.53%  )
                  000000 : 33 C0 8E D8 8E C0 8E D0 BC 00 7C BE 1A 7C BF 00  : "3ÀŽØŽÀŽÐ¼.|¾ |¿. "
                  000010 : 06 B9 E6 01 50 57 FC F3 A4 CB BE A4 07 B1 04 90  : " ¹æ PWüó¤Ë¾¤ ± €"
                  000020 : 80 3C 80 74 0D 38 2C 0F 85 B9 00 83 C6 10 E2 F0  : "€<€t.8, …¹.ƒÆ âðÍ"
                  000030 : CD 18 66 8B 44 08 8B 14 8B DC B9 01 00 E8 5D 00  : "Í f‹D ‹ ‹Ü¹ .è].s"
                  000040 : 73 0C 8B 4C 02 B8 01 02 CD 13 0F 82 B1 00 B8 55  : "s ‹L ¸  Í  ‚±.¸Uª"
                  000050 : AA 2B 06 FE 7D 0F 85 C8 00 66 B8 00 00 00 00 66  : "ª+ þ} …È.f¸....f9"
                  000060 : 39 44 08 72 08 66 8B 44 08 66 03 44 0C 83 C6 10  : "9D r f‹D f D ƒÆ &#129;"
                  000070 : 81 FE E4 07 72 E9 66 0B C0 74 1D B9 09 00 81 C3  : "&#129;þä réf Àt ¹..&#129;Ã."
                  000080 : 00 02 E8 18 00 72 11 8B F3 81 C3 00 02 66 81 3F  : ". è .r ‹ó&#129;Ã. f&#129;?¿"
                  000090 : BF 00 7C B9 75 02 FF D3 EA 00 7C 00 00 66 60 B2  : "¿.|¹u ÿÓê.|..f`²€"
                  0000A0 : 80 BB AA 55 B4 41 CD 13 73 04 F9 66 61 C3 81 FB  : "€»ªU´AÍ s ùfaÃ&#129;ûU"
                  0000B0 : 55 AA 75 F6 F6 C1 01 74 F1 66 61 66 60 6A 00 6A  : "UªuööÁ tñfaf`j.j."
                  0000C0 : 00 66 50 06 53 51 6A 10 B4 42 8B F4 CD 13 61 66  : ".fP SQj ´B‹ôÍ afa"
                  0000D0 : 61 C3 5E AC 0A C0 74 FC 56 1E BB 07 00 B4 0E CD  : "aÃ^¬.ÀtüV » .´ Í "
                  0000E0 : 10 1F EB EE E8 EB FF 49 6E 76 61 6C 69 64 20 70  : "  ëîèëÿInvalid pa"
                  0000F0 : 61 72 74 69 74 69 6F 6E 20 74 61 62 6C 65 00 E8  : "artition table.èÐ"
                  000100 : D0 FF 45 72 72 6F 72 20 6C 6F 61 64 69 6E 67 20  : "ÐÿError loading o"
                  000110 : 6F 70 65 72 61 74 69 6E 67 20 73 79 73 74 65 6D  : "operating system."
                  000120 : 00 E8 AE FF 4D 69 73 73 69 6E 67 20 6F 70 65 72  : ".è®ÿMissing opera"
                  000130 : 61 74 69 6E 67 20 73 79 73 74 65 6D 00 00 00 00  : "ating system....."
                  000140 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  : "................."
                  000150 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  : "................."
                  000160 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  : "................."
                  000170 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  : "................."
                  000180 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  : "................."
                  000190 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  : "................."
                  0001A0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  : "................."
                  0001B0 : 00 00 00 00 00 00 00 00                          : "........"
                  --------------------------------------------------------------------------------
                  4 Byte Disk Signature:
                  0001B8 : 45 69 E1 63                                      : "Eiác"
                  --------------------------------------------------------------------------------
                  2 Byte Usually Null:
                  0001BC : 00 00                                            : ".."
                  --------------------------------------------------------------------------------
                  Primary Partition Table Entry: 0
                  0001BE : 80 01 01 00 07 EF FF FF 3F 00 00 00 71 43 89 0A  : "€  . ïÿÿ?...qC‰."

                      Status : 128 (active) Start C: 0 H: 1 S: 1 End C: 1023 H: 239 S: 63
                      Type: 7 (OS/2 IFS HPFS, NTFS, FAT64) LBA: 270582939648 Blocks: 485335730442
                  --------------------------------------------------------------------------------
                  Primary Partition Table Entry: 1
                  0001CE : 00 00 C1 FF 12 EF FF FF B0 43 89 0A D0 8B 1B 01  : "..Áÿ ïÿÿ°C‰.Ћ  "

                      Status : 0 (inactive) Start C: 1023 H: 0 S: 1 End C: 1023 H: 239 S: 63
                      Type: 12 (Leading Edge DOS3) LBA: 755918670090 Blocks: 893362313985
                  --------------------------------------------------------------------------------
                  Primary Partition Table Entry: 2
                  0001DE : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  : "................"

                      Status : 0 (inactive) Start C: 0 H: 0 S: 0 End C: 0 H: 0 S: 0
                      Type: 0 (Empty) LBA: 0 Blocks: 0
                  --------------------------------------------------------------------------------
                  Primary Partition Table Entry: 3
                  0001EE : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  : "................"

                      Status : 0 (inactive) Start C: 0 H: 0 S: 0 End C: 0 H: 0 S: 0
                      Type: 0 (Empty) LBA: 0 Blocks: 0
                  --------------------------------------------------------------------------------
                  MBR Signature (should be 55AA):
                  0001FE : 55 AA                                            : "Uª"