Rewrite Master Boot Record

by Wayne Maples [Published on 20 April 2004 / Last Updated on 20 April 2004]

Prior to boot sector viruses, it was rare that any support person even knew what a MBR was. For background on the MBR: MBR Explained. If your MBR has been contaminated by a virus, use the virus vendors document to recover it. If you can not, the preferred approach is to have a backup of the MBR. See Backup/Restore MBR. If its too late for that the next best approach is to rewrite the Master Boot Record using the DOS-based FDISK command:

fdisk /mbr

Use a dos boot disk and run it. If you don't understand what this means, don't try this tip. As an absolutely last option (thats absolutely), Mark Minasi (NT Mag Summer 1999) published assembler code to wipe the MBR. If all else fails, you can try it. If you remember when the following technique was common (ie you are an old fart), you should understand the dangers of this technique. For the babes in the woods, DEBUG code was widely used in the OLD days by assembler language coders who did not own an assembler and as a method to publish small code snippets.

I have not tried the debug approach. Let me know if it works for you. Definitely on your own. Try it as a last resort before total reinstall. Very risky. You may have to reinstall anyway.

  • Boot the sick system with DOS boot disk containing DEBUG.EXE command.
    You can not do this in NT - it does not allow direct disk access.
  • Start DEBUG.EXE and type following debug commands
    • -F 9000:0 L 200 0
    • -a
    • 0C5A:0100 Mov dx,9000
    • 0C5A:0103 Mov es,dx
    • 0C5A:0105 Xor bx,bx
    • 0C5A:0107 Mov cx,0001
    • 0C5A:0109 Mov dx,0080
    • 0C5A:010A Mov ax,0301
    • 0C5A:010D Int 13
    • 0C5A:0110 Int 20
    • press Enter
    • press Enter
    • -u 100 L 12
    • make sure the code matches the above -g
      Program terminated normally
    • -quit
You can now install a replacement MBR using fdisk.

Caution: if you need to replace the MBR to remove a boot sector virus, check your virus vendors documentation on the virus very carefully. Replacing the MBR may the worst thing you can do given certain viruses that twiddle with disk sectors - hidding or encrypting data. In such a case, replacement of the MBR will result in ALL your disk partitions and data being lost. If you have such a virus, use anti-virus software to remove the virus.

Remember the term backups? Sorry. Couldn't resist.

See Also

Featured Links