virus on MBR of disk

By danimur ยท 12 replies
Sep 25, 2006
  1. Hello evryone,

    I have a problem and do not know to fix it. One day I tryied to install aN Internet Conection. After the connection was set, in about 20 seconds my computer restarted and shut down. When I try to start again same simptoms. I have a friend who has the same problems and discovered that it has a virus on MBR, I use NOD32 and a firewall - Sygate.

    I thinck it's a virus, too.

    How canI get ridd of him.

    Some Help, please
  2. Vigilante

    Vigilante TechSpot Paladin Posts: 1,666

    What exact symptoms are you talking about? Shutting down after 20 seconds? So just after you log in to Windows?

    I doubt it is a boot sector (MBR) virus, those are very rare these days. And often the BIOS has a block for these types of viruses. And also, NTFS doesn't use an MBR anyway, it uses MFT.

    However, it doesn't mean you don't have a virus, but it could be other things too.

    What version of Windows do you have? Service Pack? Are you using NTFS or FAT32 (check in properties of your drive in My Computer).

    You could also have hardware problems. Failing RAM and hard drive can cause this.

    Lastly, try getting into Safe Mode. To get there, press F8 on the keyboard BEFORE you see the Windows logo as it boots up. Just press the key over and over if you have to. If you can get in Safe Mode, run a full scan with your NOD32. Otherwise, give us some details and we'll go from there.
  3. danimur

    danimur TS Member Topic Starter Posts: 25


    Thank you Vigilante for being so fast.

    I use Windows XP Professional -Service Pack 2

    On that hard I have 3 patition, all 3 are NTSF

    I log in and after that it works for 20 second precisly the systems turns off. I have changed my memory recently(one week ago) it supose to work well.
  4. luvr

    luvr TS Enthusiast Posts: 59

    The file system has nothing to do whatsoever with the MBR. The MBR ("Master Boot Record") sits on the very first sector (512 bytes) of your boot disk, and gets loaded well before the computer has even looked at any file system. In fact, the computer must look at the MBR to find out what partitions there are on the disk, since the MBR includes the partition table; and only after it finds out what partitions there are on the disk, can it begin to look at the file systems that they hold.

    The actual function of the MBR, then (apart from keeping the partition table), is to execute a small (very small) piece of code that will decide which partition will be booted; the MBR code that gets installed by Windows, e.g., will simply boot the "active" disk partition (which is flagged in the partition table).

    A friend of mine once had an MBR virus, too. He tried to get rid of it by deleting all partitions with FDISK, but that didn't work. (We subsequently found out that FDISK simply won't touch the MBR sector code.) We found only one way to remove the virus: Boot a Linux Live CD, and use the "dd" command to destroy the MBR (including the partition table)--"dd" is the "dump data" command in Linux, but when used in this way, it is often referred to as "destroy disk," since you effectively lose all data from the disk.

    In case you want to give it a try, the command is something like the following:
    dd if=/dev/zero of=/dev/hda bs=512 count=2048
    (where "count" is the number of sectors to zap; you could specify a count of 1, but an MBR virus will likely carry its payload in the next few sectors immediately following the MBR, so it's probably a good idea to zap a few more).

    Also, after this operation, the partition table will be invalid; you may want to rewrite a valid (albeit empty) partition before continuing, using something like the following command:
    fdisk /dev/hda
    You will be told that the partition table is corrupted; just use the "w" command to correct it, then quit the fdisk command using the "q" command.

    After this, your disk will look like an new, empty disk to the computer.
  5. Vigilante

    Vigilante TechSpot Paladin Posts: 1,666

    Yes you're right about MBR, I was thinking about FAT itself, which the MFT did away with. Not the MBR. My bad.
  6. Nodsu

    Nodsu TS Rookie Posts: 5,837   +6

    In Windows/DOS "fdisk /mbr" should replace the bootloader code in the MBR with the Microsoft standard one, effectively replacing the virus. "fixmbr" in the Recovery Console.
  7. luvr

    luvr TS Enthusiast Posts: 59

    True... We did try that, but it somehow didn't solve our problem; I guess it actually did fix the MBR, but that some malware code had gotten installed onto the Windows system, so that the bootloader virus would get reinstalled as soon as we restarted Windows.

    Cannot think of a better explanation, really...
  8. Vigilante

    Vigilante TechSpot Paladin Posts: 1,666

    Standard virus removing procedures need to apply here. Using the right tools, using Safe Mode and Recovery Console if needed. Remove the executable parts of the virus from within Windows. Then when the timing is right, fix the MBR.

    However, for XP and the Recovery Console, you don't use fdisk /mbr, you just use the command fixmbr. Often you also need to use the next command fixboot to make sure the bootloader is correct.

    Incidentally, exactly WHAT details can you give as to why you think it's a boot sector virus? What exactly is NOD32 and/or your firewall telling you? Post some of those results, name of virus, etc...
    Tell us all what you've tried, and what's happening.
  9. danimur

    danimur TS Member Topic Starter Posts: 25

    I cannot tell you what NOD32 says because Windows just boot up and then the computer suddenly restarts and then is shutting down.

    I cannot make the antivirus clean the computer, the time is also to short and beside that the antivirus is not finishing the cleaning.
  10. Vigilante

    Vigilante TechSpot Paladin Posts: 1,666

    Do you have an XP CD? If not, get one or borrow one.

    Stick that in your drive and boot to it. Once in, go to Recovery Console.

    Once logged in to RC, type chkdsk /r /p. Let that finish and give us the results.
    If it finds and fixes errors, type exit to restart the system, and then go BACK into RC again, and run that again.

    See if that helps. It could be a hard drive problem causing restarts and not virus.

    Can you get in Safe Mode without restarts? As the system boots up, BEFORE you ever see the XP logo, start pressing F8 on the keyboard once a second until you get a menu. Then choose Safe Mode. If you can get in, run your "anti" software from there.
    If Safe Mode doesn't work, reboot back to this menu again with F8, and try the "Last Known Good" configuration. See if that works.

    If none of that does the trick, you may have to take the hard drive out and scan it for viruses from another computer. Be sure to put your drive as SLAVE so the other computer does NOT try to boot from it! Put it on the channel with their CD-ROM and not the other hard drive perhaps.

    Lastly, does Windows give any errors when it shuts down? Does it show a timer saying shutdown in 30 seconds? Does anything at all happen before or during that time?
    Do you use the Welcome screen? That is, you have to click on your name to get in? Does that Welcome Screen stay on indefinitely?

    Do you have more than one user account? Do they all fail?
    If you only have 20 seconds, that may be enough time to go into Control Panel really quick and create a new user account, then try to log in with the new user account.

    That should give you some homework. Good luck!
  11. danimur

    danimur TS Member Topic Starter Posts: 25

    Yes, I have a XP CD, on which I have tried what you said Vigilante but the problem perisists.

    No, I have onlu one user.
    Thanks for your advises

    I will try to go with the drive to another friend to try there the cleaning.

    Thanks to you all
  12. crazylog

    crazylog TS Rookie

    i don't think is not virus.. i believe is system problem....
  13. danimur

    danimur TS Member Topic Starter Posts: 25

    system problem

    No, is not a system problem because I have tried another HDD and is working fine.

    Thanks anyway
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...