Can anyone put forward any ideas about a recent problem I had with one of my client's machines?
The machine is running Win 2000 pro and has a 60Gb disk drive formatted as a single FAT32 partition. As it turns out, no antivirus software was working on the machine, nor was a firewall in operation. The machine connects to the internet via another machine which provieds the internet connection sharing and is firewalled.
From what was reported, the machine had been working OK and left for a while and when they came back to it to shut it down, it was showing a blank blue screen. The following day it started OK but later 'froze up' and then wouldn't reboot. So much is what I was told.
When I investigated I discovered that the boot sector had been corrupted - but in a very organised way. Only every 8th byte was affected, starting with the 6th byte and only the 6th bit of that byte was affected (except for one byte).
of the 42 bytes affected (of the possible 64 8th bytes), 40 had bit 6 switched on (OR 0x40), 1 had that bit switched off. The other byte was the exception mentioned above but it is possible that its differing value was legitimate - I don't know quite enough about FAT32 boot sectors to say! The way I ascertained the 'correct' values was by comparing with the spare boot sector copy stored at sector +6.
The only sector I could find with any error was this boot sector.
I restored the duff sector to its copy and the machine rebooted reasonably adequately (there was actually an inaccuratly recorded free space message) but I was able to reboot the system and get at the data. Since then it has been working fine.
My immediate thought was that it looked like the result of a virus, however a full scan of the disk showed nothing and searching on the net revealed no messages about a virus which showed this behaviour (though I could well have missed it).
I thoroughly checked out various bits of hardware - the disk, the cable (which I replaced anyway), the memory. I wasn't in position to be able to do very much with the disk controller.
So what are your theories as to what happened?
What I'd like most is for someone to say that this was exactly what virus XXXX does - or failing that suggest what component could have misbehaved in such an organised way.
I can't see why anything *should* have been writing to the boot sector for it to get it wrong! Needless to say the machine now has adequate protection.