How To Check For And Fix MBR Virus Infection

 Posted by on January 15, 2012  viruses
Jan 152012
 

How to check for and fix MBR virus infection. The MBR is the Master Boot Record – it is stored on your hard drive but kept outside of Windows partitions and volumes. Crucially, the code in the MBR is run as your computer starts up (before Windows) which makes it a great place for a virus or rootkit to hide.

Even if you reinstall Windows or format your hard drive, a virus infecting the MBR will not be deleted. So, after you reinstall Windows, your computer first runs that same MBR virus code which then reinfects your new installation of Windows with viruses – and you’re back to square one…

In my experience (computer repair business) such infections are becoming ever more common as the MBR is a great place for viruses to avoid detection.

Typical Sign of MBR Virus Infection – You still encounter virus activity (e.g. redirected webpages etc) even after you ‘successfully’ removed all viruses (and multiple full virus scans with different antivirus programs found no more viruses).

This happens because the MBR virus is hidden outside of Windows so standard antivirus programs cannot find it – as fast as you clean up Windows, the MBR virus reinfects it the next time you restart. For this reason it is really important that after you have removed all viruses from within Windows you check the MBR is virus free - even if you plan to format and reinstall Windows again from scratch.

Warning: checking and fixing MBR code is for Advanced users – you should always have a full backup of your important data before trying any MBR fix as there is potential to corrupt partition tables, preventing Windows from loading and possibly losing all data stored on the hard drive!

If you suspect a MBR virus you should run several specific MBR checks:

1. Avast’s Detector – Download Avast’s MBR infection detector aswMBR.exe from here. Follow the instructions on the download page to run it and scan for any infections. If the MBR scan report says ‘Windows XP/Vista/7 default MBR code’ as shown in the bottom line of example below you have standard Windows MBR code i.e. no MBR virus.

aswMBR

Note that non-standard MBR code is not necessarily a result of virus infection – it may contain code written by your computer’s manufacturer that would be used to let you restore your computer back to factory settings (i.e. as it was when you first bought it).

MBR infections may be fixed by Avast’s FixMBR option to replace with Windows default MBR code – you will need to restart your computer after fixing then rerun the tool again to check that no further MBR infection is found (hopefully this time it will find ‘Windows XP/Vista/7 default MBR code’.

Warning: Fixing the MBR involves erasing it and recreating with a standard default set of MBR code for your version of Windows i.e. you would no longer be able to use the manufacturer’s factory restore method to reinstall Windows!

2. GMER’s Detector – Download GMER’s MBR Rootkit Detector mbr.exe – halfway down the page here. Run it and the program quickly creates a file called ‘mbr.log’ in the directory where you saved the mbr.exe program.

Open the mbr.log text file and see if it indicates that your MBR is legitimate – the user and kernel MBR should give the following report if the MBR is clean:

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

If the MBR code is not legitimate you can use one of the other 3 methods to fix it (my personal favorite is Avast’s utility in method 1 above).

3. MBRCheck.exe detector – Download from geekstogo website here and run the program to check for a non-standard or infected MBR – the example below shows MBR that is standard i.e. ‘Windows XP’ code (not infected)

MBRCheck1

If non-standard or infected MBR is found, you will need to follow the menu options carefully to ‘Restore the MBR with a standard boot code’ then choose the physical disk number to fix (usually disk 0 zero) and select the MBR code for your version of Windows e.g. XP, Vista or Windows 7. Finally, confirm you wish to change the code.

4. Use A Windows Recovery CD/DVD To Fix MBR – You can use a Windows installation disk to repair a corrupted or virus infected MBR by replacing it with standard Windows MBR code – this is especially useful if you attempted a fix using one of the first 3 methods and it left your computer unable to start up:

XP

Boot using an XP Installation disk to the Recovery Console
After logging into the Administrator account (usually with a blank password), at the Command Prompt, type in the command
fixmbr
Press Enter to replace the MBR and then restart your computer.

Vista & Windows 7

Boot using a Recovery CD or Vista/7 Installation DVD to the Recovery Environment
At the System Recovery Options menu choose ‘Command Prompt’
At the command prompt type in the command:
bootrec /fixmbr
Press Enter to replace the MBR and then restart your computer.

Conclusion

It is not advisable to replace the MBR unless you have good reason (e.g. it is infected with a virus) – if it goes wrong a corrupted MBR can result in Windows not starting or even cause loss of all data stored on the hard drive. Replacing the MBR with standard Windows code may also result in the loss of the manufacturer’s factory restore options.

However, if a MBR is infected by a virus there is little choice other than to replace the MBR code with a known good default alternative and this should be done even if you intend to format and reinstall Windows.

  3 Responses to “How To Check For And Fix MBR Virus Infection”

  1. What specifically does this output mean? I literally don’t know what it means, and everyone else just says run this and run that instead of telling me what the output from the first one means.

    device: opened successfully
    user: error reading MBR
    kernel: MBR read successfully
    user != kernel MBR !!!

    I can supply the actual machine language and assembly language code of my mbr. Not only do I have it, and the partition table constructed from it, but that means that it must be possible to read teh master boot record. Someone on the AVAST forum is saying it doesn’t look infected.

    I want all the t’s and i’s to add up before I conclude it isn’t infected.

    Thanks!

    • User privileges might stop you reading the MBR but kernel can read it ok and no infections are reported, contact GMER support if you need a full explanation of the the way MBR.exe works.

      If the other 2 tests also report no infection then your MBR should be ok – if you still have signs of infection then run GMER itself.

      If in doubt (and it’s a non-standard MBR) you could just fixMBR it to default code – and that way you’ll be able to easily tell in future if it has been infected as it will no longer be default windows code…

  2. Not all M.B.R Virus can be fixed in this way. New Viruses have adapted to Command line repair, and in short you will not be able to repair your computer using these methods.

    Recently, I can across a stubborn M.B.R Virus that would not allow me to repair the Master Boot Record using traditional ways.

    I Tried every rescue disk from all the major Anti-Virus Company’s with no luck. Then last I Used –> Comodo Rescue Disk <– with the options to scan the M.B.R sure enough they were the only anti virus that found the problem and removed the virus.

    I am a computer repair tech in Dallas and I fix 10-20 virus infested computers a week, and this is the first time that I actually could not find a fix for this virus, and cannot believe that Comodo Rescue Disk actually found and fixed the virus.

    So, to all the people that are having trouble finding a fix to your problem, and getting the same results from all the online communities, I hope this helps.

    P.S. – Make sure you download the rescue disk from a clean computer, and if you have other computers on your network, or in your LAN make sure you disconnect them from the internet, and the network. Then run the rescue disk, on each computer.

    P.S.S – no need to have internet hooked up, skip update option when asked.

    Comodo Rescue Disk Link

    http://download.comodo.com/crd/download/setups/comodo_rescue_disk_2.0.261647.1.iso

    Hope this helps.

    Jason Swartz