Description of the problem: Immediately after turning on the computer's power, the verification procedure begins POST (Power On Self Test). Procedure POST reads from hard drive master boot record ( MBR - Master Boot Record) and writes it to RAM computer. home boot record contains a boot program and a partition table that describes all the partitions on the hard drive. Boot viruses, when infected, replace the master boot record, after which the computer boots as usual, but the virus is already in memory and can control the operation of all programs and drivers. After this, every time the computer boots, the virus gains control and places itself resident in memory.

Solutions to the problem: If the antivirus cannot remove the virus from MBR sector, then to solve the problem you can use using Windows, namely, system recovery. Using System Restore, you can overwrite the master boot record of the boot partition, and thus remove the virus. To work you will need a bootable Windows disk.

To run System Restore, you must start the computer with boot disk. To boot from a boot disk you need to turn on the computer and press the Delete button to enter BIOS settings, Install boot from CD-ROM. Insert boot disk with installation Windows package and restart your computer. When Windows installer will load its files into the PC's RAM, the Windows Installation dialog box will appear, containing a selection menu from which you need to select *To restore Windows using the Recovery Console, click .

A key must be pressed R. The Recovery Console will load. If the PC has one OS installed and it is (by default) installed on disk C:,

then the following message will appear:

In which copy of Windows should I sign in?

Need to enter 1 , press Enter and enter the administrator password. The system prompt appears, enter fixmbr.

A message will appear:

**WARNING**

This computer has a non-standard or invalid Master Boot Record. Using FIXMBR may damage your existing partition table. This will result in loss of access to all partitions of the current hard drive.

Recently, more and more complaints have been received about a virus that produces complete blocking of the computer and extortion of money, at the stage before the operating system boots (red letters on a black screen). The problem is that for an unprepared user the situation can become truly dead-end: the computer does not boot in either normal or normal mode. safe mode, downloading and scanning with an antivirus from a live-cd is ineffective, even an attempt to restart Windows installations may not be successful! Here I will talk about ways to actually remove it easily and simply.

This virus infects the MBR - the master boot record of the hard drive, to which neither the user nor the operating system usually has access. This is where all the complexity lies, and at the same time the simplicity of its removal.

Infection usually occurs when you click on an infected link or load an infected web page. Then the computer turns off after a few seconds, tries to reboot and displays a message that “ Your computer is blocked for viewing, copying and reproducing videos with elements of pedophilia... You must pay a fine of..." etc. and so on. Payment is carried out through IBOX-I for WEBMONEY U338098752819 wallets, U225475893811, U25097606445, U193923440709, U255460166383, U22916721843, 380684668914, etc. Complexation of account mobile phone. There are different varieties of the virus for Ukraine and Russia:

Version of mbr-winlock for aliens (if they use Windows) (joke). The author was smart enough to write and distribute a virus, but he was not able to write the inscription in the correct encoding))

I would also like to note the almost complete failure of antiviruses against this scourge: paid ones and with big names, like two years ago, are unable to respond in a timely and adequate manner against this truly serious threat:

Checking the sys3.exe virus file on virustotal.com showed that at the time of infection, out of 43 antiviruses, this Winlocker could only catch 5!

Each time an infection occurs, the presence of a file corresponds sys3.exe (the virus itself) in temporary browser files and netprotocol.exe in startup ( creates a hole in the operating system) (the versions of these files change all the time and the response rate of antiviruses against them remains extremely low; the attackers have not yet changed the names of the files).

Operating vulnerability Windows systems : the user simply surfs the Internet, and the attackers at this time modify the MBR and reboot the computer!!!

The helplessness of our police/police in the fight against this type of crime: they don’t know how to catch such criminals, they don’t know how, they can’t and they don’t want, which is what scammers use and will use.

People who pay scammers- accomplices and sponsors of these crimes. These viruses will appear again and again as long as it is economically profitable.

Method 1: Recovering MBR from Acronis TrueImage backup

If you are one of those people who, after installing Windows, drivers, programs and settings, made backup copy system disk - Congratulations, your efforts were not in vain! This problem is not a problem for you: you just need to boot from the Acronis boot disk and restore mbr from your backup:

Boot from the Acronis True Image disk and select Recovery.

Select the image file of the system disk

Select Restore disks or partitions

Select from the list the hard drive (system) on which you want to restore the MBR

Click the Proceed button

After the reboot, not a trace remains of the virus; all that remains is to carry out a “control cleanup” of the computer with fresh antivirus and anti-Trojan program.

Method 2. Using the CureIt utility from DrWeb or Kaspersky TDSSKiller

Despite the fact that DrWeb misses this infection, it can successfully treat the result of the infection - a modified MBR. To do this, you need to boot from any LiveCD and run this utility. The malicious recording is neutralized in a matter of seconds:

Dr.Web CureIt! restores boot record in seconds

At reboot Windows boots in normal mode, as if nothing had happened.

UPD (18.05.2012):

New modifications of this virus change the partitioning of the disk. Screenshot of the Windows Disk Management console before treatment with the DrWeb CureIt utility:

After treatment and reboot:

Method 3: Using the Windows installation disc

Attention! In light of the latest modifications of this virus, using this method is NOT RECOMMENDED!

For Windows XP: insert installation disk and turn on the computer, press any button to confirm the boot (Press any key to boot from CD…..). We are waiting for the disk to load completely and offer a choice of actions. Select recovery mode, button R. Now the system will prompt you to select which OS from those found to restore, press the number and Enter (usually 1). Now you need to enter the administrator password, if you don’t have it, then just leave it blank and press Enter. Now we get to the recovery console. Enter the command: FIXBOOT, Enter, you will be asked to confirm, press Y. Now enter the command FIXMBR, Enter and confirm again by pressing Y. Now we just type EXIT and reboot. You can boot from your hard drive. All.

For Windows 7: boot from the installation disk or flash drive with windows 7 - system recovery - command line - bootsect /mbr All

Method 4: Reinstall Windows

At reinstalling Windows necessary completely remove system partition, and then create it again. At the same time, the MBR will also be recreated.

UPD (01/26/2012):

Today I discovered the body of the virus - file

"Your computer blocked by Internet Police for searching and viewing video materials containing pedophilia, perversion, sexual abuse of children... Webmoney 380971559633 for 850 hryvnia"

The situation with the detection of this variety by antiviruses is still very sad. Who cares, virus body can be found here (the password for the archive is infected):

UPD (07/13/2012):

Yesterday I unblocked the latest version, a notable feature of which is the almost 100% “blindness” of antiviruses (including Kaspersky). Distribution of this sample to antivirus software had some effect. Download the virus body (password to the archive is infected):

Recently, new types of banners have become widespread, which are registered in the boot sector of the disk (MBR) and block the computer even before Windows boot. This is the so-called MBR.Lock(MBR-lock).

They all look equally primitive, since they are executed in text mode when the computer starts. Usually this is red text on a black background, which in general is nothing new, with a requirement to pay a fine for viewing gay porn, child porn and video materials containing violence. In RuNet, MBR locks are being distributed with the requirement to pay a fine to the subscriber's MTS or BEELINE account, in Ukraine and Belarus to the WebMoney electronic wallet (WebMoney)

Naturally, you don’t need to pay anyone - it won’t help. After all, the mobile phone payment terminal simply cannot print any unlock code. Looking for an unlock code is also pointless. Often there are simply no codes to unlock banners.

In this article, we will look at methods to combat the MBR.Lock Trojan for Windows XP and Windows 7.

Removing a banner in the boot Windows sector XP via Recovery Console

Not everything is as scary as it seems. In fact, removing the MBR.lock banner is much easier than . Required MBR recovery(master boot record).

For treatment, we will need a Windows XP installation disk. If you do not have a disk, its image can be downloaded and burned onto a CD-R disc, for example, using the DeepBurner program (distribution). For details on how to burn a disc from an image using DeepBurner, read the article
We boot from the disk (if the boot is from the disk downloaded from the link above, select the menu item Install Windows in manual mode).

Press the key R to launch the console Windows recovery XP.
After the console loads, you will be asked which copy of Windows to log into.

Select your copy. If you have only one OS, enter 1 and press Enter.

You will be required to enter an administrator password. Enter the password and press Enter. If there is no password, then do not enter anything, but simply press Enter. After this you will be logged in. This will be evidenced command line.

Enter the command fixmbr and press Enter. To the question Do you confirm the recording of the new MBR? enter from the keyboard in the Latin layout y, which means yes and press Enter

If the message New Master Boot Record was successfully created appears, then everything went well and the MBR has been restored. Enter the command exit and press Enter. After this, the computer will restart. That's it, the computer is unlocked!

How to Recover MBR in Windows 7 - Computer Locked Before Windows Boots

The process of restoring the MBR and unlocking your computer in Windows 7 is similar to restoring the MBR in Windows XP. Here I will describe restoring the MBR and, accordingly, unlocking the computer from Trojan.MBRLock using ERD Commander.

2) Set the BIOS to boot from a disk or flash drive (depending on what you recorded). Loading up. In the ERD Commander version selection menu, select version 6.5 for Windows 7.

The download will begin. For some time there may just be a black screen and the feeling that the computer has frozen. This is wrong. The image is simply loaded into RAM first and nothing is displayed on the screen.

3) After the download is complete, you will be prompted to connect to the network in background. We refuse.

4) Click Yes to the question about reassigning drive letters.

5) Select the keyboard layout.

7) In the menu that appears, select Command line

A command prompt window will appear. Enter the command bootrec.exe /fixmbr and press Enter.

If we want to get rid of the current structure of the hard drive - remove all partitions on it and return the original unallocated space to it, in an active Windows environment, using its standard tools, we can do this if two conditions are met. Firstly, the operated disk, the one on which we want to remove all partitions, naturally should not be the storage of the current OS.

Storage refers to either all partitions of the system, or at least one of them, for example, the boot partition. Secondly, on such an operated disk there should be no partitions protected from deletion. If the previously operated disk had a partition style MBR, using the utility included in Windows, we can easily delete all user and system partitions.

And we will turn the disk space into unallocated space, on the basis of which we can create a new partition structure for other tasks.

Here's the space GPT-disks on which Windows was previously installed, so we will not be able to completely clean them. For hidden system EFI-partition will not have access to the delete function or any other options.

Even if you get rid of all the other partitions, EFI-the section will remain.

Similar to the latter, on media OEM-devices may also have undeletable service Recovery-sections required for Windows rollback to factory settings.

How to clean HDD with structure-protected sections - delete all sections, remove the markup style so that it becomes the same as before initialization? Let's look at several options for how this can be done.

1. Command line

A standard Windows tool can clean storage media from their structure - command line. Important nuance: it must be run as administrator.

In its window, enter sequentially:

diskpart list disk

Here, instead of zero, everyone must substitute their own serial number.

The last step is to enter the command to clear the media from the structure:

That's it - the disk is cleared of partitions and initialization. After this, we can turn to the utility again to create a new structure.

Choose GPT- or MBR- markup style.

2. Windows installation process

Delete hidden sections The disk can handle the Windows installation process. If the system installation media is connected to the computer, you can boot from it and remove partitions at the stage of choosing the installation location. And then stop the installation and restart your computer.

However, this option is only suitable for users who know the disk being operated on well. Since the installation process displays disk space as a list of partitions, there is a high probability of mistakenly damaging the structure of non-operating media.

Command line haters can resort to third-party software to work with disk space like Acronis Disk Director 12. It is more functional, more usable and even in some sense more safe way carrying out operations with marking data carriers.

3. Acronis Disk Director 12

And a disk manager from the company Acronis , and its analogues are notable for their clear and understandable presentation of the disk structure. Moreover, such programs as part of LiveDisk- This the only way solve the problem posed in the article if the media being operated is the only one in the computer. To use Acronis Disk Director 12 get rid of the disk structure, select it, for example, in a visual representation.

And let's use the function.

Acronis warns us that the media being cleaned contains boot partitions. And thus protects us from rash decisions. The fact is that two Windows installed on different drives, there can be either their own loaders or one common one. It is important to check this point: the Windows you are leaving must have its own boot partitions:

OrSystem Reserved (MBR);
Or"Restore" and "EFI" (GPT).

If Windows does not load when you turn on your computer and the process freezes on a black screen, your hard drive's boot record (MBR) may be damaged.

External manifestations

When an error appears on the screen, doubts disappear.

Other information about a malfunction of the HDD bootloader may also be displayed.

The text information may vary depending on the classification of the error. But when the word boot is mentioned, it is clear that there is a problem with loading.

You can find out how to restore the MBR on this page.

Causes

Please note the common causes of HDD boot sector failures.

Two types of bootloader

On older systems prior to Windows XP, the NT Loader (NTLDR) was used. In Windows 7, Vista and subsequent versions of the OS, UEFI and EFI began to be used. Therefore, old and new systems are usually not installed on the same PC. Otherwise, NTLDR overwrites UEFI.

Third party software

Errors in boot HDD sector can occur when using even popular programs for hard drive partitioning. This happened to me with Acronis. This happens because such software replaces disk loading drivers with its own. This can corrupt the original MBR entry. Therefore, it is better to use the built-in methods for partitioning your hard drive from Windows.

Viruses

Viruses sometimes wreak havoc on the MBR. Therefore, after restoring the HDD boot, check your computer with anti-virus programs.

If you are sure that the cause is viruses, then clean your PC of them before repairing the MBR. For this purpose, there are utilities from well-known antivirus companies, for example, Kaspersky Rescue Disk. They are provided free of charge on official websites with instructions for use.

Any of these programs is included in the software package for a CD or DVD, which allows you to boot from a CD, find and remove viruses on the HDD.

Windows 7 Boot Recovery

Sector repair is performed from a CD or USB flash drive with the operating system installation package.

1. First, insert the DVD into the drive or flash drive into the USB connector with the Windows distribution.
2. Then you need to allow startup from these devices. This is done in the BIOS settings.

Changing download sources

Technology of the following order:

Be sure to press F10 when exiting, otherwise the changes will not be saved!

Working from a CD or flash device

Proceed in the following order:

1. After the reboot, the following message will appear at the bottom: “Press any key...”. This asks you to press any key. Click. It won't work out otherwise. If the inscription has already disappeared, repeat everything from the beginning. To do this, press three keys at once: Ctrl+Alt+Del. This will cause the computer to restart.
2. When you boot from the DVD or flash drive, the Windows installation window will appear. At the bottom left, select “System Restore”.
   
3. You will be prompted to connect network capabilities, select languages ​​or a drive letter. You don’t change anything and get to the choice of systems.
4. Highlight the desired Windows and check the box next to “Use recovery tools...”.
   
5. If the required system does not exist, it should appear when you click “Download drivers”.
6. Continue with the “Next” button.
7. In the next window, select “Startup recovery”, and the MBR can be reanimated automatically.
   
8. If the sector does not work, then click “Command Line”.
9. On the command line, call the Bootrec utility and write for it to repair the MBR: bootrec/fixmbr. You end each command with the Enter key.
   
10. Then create a new boot sector: bootrec/ fixboot. To exit the program, type exit and remember to press Enter.

If the fixes didn't help

There is another MBR resuscitation team - bootsect /NT60 SYS. After that, try to boot again.

If the attempt fails, write on the command line like this: bootsect/rebuildbcd. A search will occur. operating systems installed on a PC.

Now try logging into Windows again. Please note that there will now be one more system in the list. Try to enter each of them. It should work!

Non-standard way

If all sector recovery options do not help, it is recommended to reinstall Windows. And no matter how much you want to do it sometimes! Isn't it true?

I thought so too and decided to put another small system nearby. What does "small" mean? This is a bootloader system. It is empty: I did not install drivers or my programs on it, because I don’t work in it. But it's loading!

I achieved what I needed: a working boot area appeared on the hard drive. Now I log into the old system normally. The downside is that I lost about 14 GB of disk space. If you are not afraid, you can use this method!

How to fix a sector in Windows 8-10 and Vista?

For Vista and later Windows versions The same methods are suitable as for the “seven”, only the design is different. For example, in the “eight” he is like this.

But the points remain the same. Therefore, we will not describe them. Use the instructions described above for Windows 7.

On Windows XP

In the "experiment" sector, the principle of resuscitation of the sector is similar. But the entrance is a little different. Now you will see it:

1. After booting from the CD, system files are copied to the hard drive.
2. Then the action selection window appears.
   
3. You select the recovery option using the console, so press the R key.
4. Next, they will ask you which system to log into. When she is alone, there is nothing to choose, but you need to answer. To do this, press the number “1” on the keyboard if it says: “1. C:\WINDOWS,” or click on another number next to the desired OS.
5. Then a black DOS screen appears. This is the same command line, but for the entire monitor area. You are dialing fixboot and press Enter.
6. You will be asked if you want to record a new boot sector.
7. If you answer positively: write Y. Let me remind you that you press Enter after each entered command or your answer.
8. Then there is an entry about successful operation, if everything went right.