How to repair your master boot record if it’s infected with a virus
Question: How can I overwrite my MBR? I think I have a virus in it.
Answer: This column is a little bit like an edition of the TV show “The Unexplained”. The boot process is quite mysterious and not always logical. But you need to understand it, to understand the Master Boot Record (MBR).
So here’s how the computer start-up routine works.
When a PC is turned on, it checks in with the BIOS. This is where the basic information about the computer exists, i.e. hard drive configuration data, time and date, plus many more weird and wonderful computer anatomical facts.
When it discovers the hard disk (sometimes called the hard drive) and continues the boot sequence, it sends the heads of the hard drive, which are like a bunch of magnetic boxes mounted on arms kind of like the one on a record player, to the hard disk’s platters. Think of platters as a bunch of plates on a spindle.
A head reads the outside cylinder (called cylinder zero) on the platter. This cylinder is a donut ring of data, like a song on a record, though without the grooves that spiral inward.
In the cylinder, it finds sector one (strangely there is no sector zero), which is a small area that contains data.
The head reads the data there, which is where the Master Boot Record (or MBR) is always kept.
The MBR tells the computer which partition to boot from. A partition is a distinct area of the disk that is assigned as drive “C”. If the computer has a drive D, and perhaps drives E and F, then the hard drive is divided up into partitions. If it only has one partition, then the CD-ROM drive is assigned the drive letter D.
The MBR is made up of computer code and data. It tells the computer about the partitions and tells it which partition is the “active” partition. Then the hard drive heads go to the active partition and looks for the Boot Record (or BR). The BR reports how many File Allocation Tables (FAT) there are (always two) and how big they are.
The FAT is kind of a map that keeps track of all the files on a hard disk and their locations.
The computer then reads the first FAT, skips over the second FAT and reads the root directory. This is where two hidden system files and a key file called “command.com” are kept. These take over the boot process. If the computer has Microsoft Windows on it then computer reads those next and the Windows is started.
Some viruses (but not all) can infect a computer’s MBR or the BR. They read the MBR and replace it with themselves and then put a copy of original MBR data elsewhere on the hard drive. Some do that to the BR instead.
The Michelangelo virus, for example, writes itself to the MBR and then on March 6 of every year it writes garbage data to the hard drive (geek alert: it overwrites the first 17 sectors of the first 256 cylinders of the hard drive).
So how do you fix this?
The easy way is to get a copy of Hard Drive Mechanic to put things right.
Or if you have an anti-virus program, hopefully you created an emergency backup disk with it, which you’ve kept handy. When you boot with the emergency disk in the floppy drive, it will clean the virus.
For Windows Me and before, you could also create a boot floppy with your operating system (like Windows). You should also copy a version of FDISK.exe and SYS.com and Format.exe onto the boot floppy. In most versions of Windows, these files can be found in the folder C:WINDOWSCOMMAND.
If you create a boot floppy with MS-DOS (the operating system that’s the predecessor to Windows), be sure to make the floppy bootable using the command “FORMAT A: /S”.
Then boot up the computer with it and at the command prompt (A:) type FDISK /MBR. This will overwrite the infected MBR, but will leave your data intact on the HD.
This boot disk should be created before the computer is infected. If it is created afterwards, the virus on the hard drive will infect the floppy disk, which is counterproductive.
Never reformat a hard drive to fix an MBR infection, as this will replace the BR, but won’t fix the MBR.
If the virus has infected the BR, then you can fix it by booting from the boot floppy disk mentioned above and run this command: “SYS C:” (no quotes).
This will replace the boot record and the command.com file (required to boot your operating system) with clean copies.
To give credit where credit is due, I learned all this from David Stang, who is clearly a genius since he managed to explain all this to me in about an hour of chitchat while his cockatoos heckled us in the background. He’s a PHd, so you should call him Dr. Dave.
(At the time of writing, Dr. Dave was Chief Technology Officer of the company SafeSite which used to own pest removal software called Pest Patrol. It’s now owned by CA.)