Skip to main content

clean a system infected by a master boot record virus


If you have a hard drive that may have a boot virus on it, how do you clean the virus from the drive?

The "Master Boot Record" or MBR is loosely used to describe the combination of the "Partition Table" and the "Boot Record". The primary Partition Table is used as a pointer to additional partition tables that might exist on the drive. This set of partition tables forms a chain each maintaining pointers to the next partition table with a total of up to four partition tables on a drive. The primary partition table also has a pointer to the Boot Record. The Boot Record is a sector that contains information about the physical characteristics of the hard drive i.e. cylinders, heads, sectors,
drive ID, file system, and so on.

Viruses typically move the real MBR onto "slack space" sectors which is unused by your computer. Then it replaces the real MBR with it own version of the MBR where the real MBR belongs. This way the virus can manipulate the Boot Strap Loader as you start your system, by doing so it can "stealth" itself from detection. A virus in a "stealth" mode, may not be picked up by a normal anti-virus scan. The virus redirects the anti-virus scanner to the real MBR which will scan as normal even though it's in the wrong place.

A MBR virus will usually give an error "Invalid Drive Specification". A simple Boot Record sector virus will usually give you a "General Failure Reading Drive C:" error. But be forewarned, these errors could also indicate a bad sector 0 or 1 on the hard drive. If this is the case the drive is DEAD for all but data keeping. It will never be able to be a boot drive again, and in fact these types of drive should be taken out of service all together. It will most likely continue to lose sectors as time goes on, and usually when you least expect it. It's not worth the risk, trash can it.

Removing a Master Boot Record Virus

Use a clean startup disk (make sure the disk is write-protected before you place it in a potentially infected machine!). This should give you a clean boot to drive A:, which can then remove infection from inactive drive C:. If you are in doubt about the health of the startup disk, get a startup disk from a friend with a clean system. Enter FDISK /MBR. This overwrites your infected MBR and puts a clean MBR in place. Some cleaver viruses may place a secondary interceptor into the boot strap loader and re-infect the system, so be virulent when running the system after this repair. "Note that some overlay software can act in this same infectious way". Do not boot from the C: drive to do the above. The virus software is sure to know what you are attempting and foil your efforts to eradicate it. The clean boot drive method is best to be absolutely sure.

If the Bug Cannot be Cleaned

Hope all your data's backed up! You will need to high level re-format your hard drive. Remember this will not create a new "primary Partition Table" only FDISK will do this, but formatting will create a new "Boot Record" and new "File Allocation Tables". The FAT is the hard drives Table of Contents, and without it does not know where to find this data on your hard drive. Formatting does not actually erase the data contained in the individual sectors. In the worst case you might have to low-level format your drive. You should do this only with the assistance of the hard drive manufacturer. This will erase most of the data but a clever user could still recover data if they really wanted to. Your BIOS may also have some hard disk utilities with a format option.

Note: The original source of this text could not be found.

Comments

Post a Comment

Popular posts from this blog

this symbol is called a lemniscate, and other facts

The technical term for your foot "falling asleep" is "taresthesia". "Pins and needles" is really called "paresthesia". Great Britain has invaded about 90% of the world's countries. There's a brand of hand sanitizer called "Maybe You Touched Your Genitals". There was a hoax that the world was ending in 1806 because someone wrote "Christ is coming" on eggs, that were later stuffed into a hen. Gary Numan is actually 13 days older than Gary Oldman. There is a word in the English language with only one vowel, which occurs six times: Indivisibility. Los Angeles's full name is 'El Pueblo de Nuestra la Reina de los Angeles de Porciuncula'. Polyamorous people have invented a word to indicate the opposite feeling of jealousy - compersion. The Macrocilix maia moth confuses predators with wing patterns that mimic two flies eating bird poop. It even releases a pungent odor to drive home the dec
Post a Comment
Read more

abort, retry, ignore poem

The infamous Abort, Retry, Ignore message box of Windows, with no option given to close it. Found this classic and fun poem about the "Abort, Retry, Ignore" message. I have been able to trace back the source to Annoyances.org. Here it is: Once upon a midnight dreary, fingers cramped and vision bleary, System manuals piled high and wasted paper on the floor, Longing for the warmth of bed sheets, still I sat there doing spreadsheets. Having reached the bottom line I took a floppy from the drawer, I then invoked the SAVE command and waited for the disk to store, Only this and nothing more. Deep into the monitor peering, long I sat there wond'ring, fearing,
 Doubting, while the disk kept churning, turning yet to churn some more.
 But the silence was unbroken, and the stillness gave no token.
 "Save!" I said, "You cursed mother! Save my data from before!"
 One thing did the phosphors answer, only this and nothing more,
 Just, "Abort
Post a Comment
Read more

an inflating flashbag

This is a flash drive. A flashbag, more accurately. When it is empty, it is slim and as data is filled into it, the bag starts to inflate until it is full. How ingenious! The creators have applied micro- pumps to achieve this, as stated in their site . When the device is about to blow off, it gives a message - "There is not enough free space". At times when it is not plugged in, it remains inflated relative to the amount of data it is holding. There are other innovative products from the creators of flashbag - such as C'ALL future phone , Balloophone , AllTunes , GMEA , Trings and Remobeads . Great, PlusMinus ! Kudos to your grey cells.
3 comments
Read more