How To Check For And Fix MBR Virus Infection

This article explains methods of MBR virus removal – how to check for and fix a Master Boot Record virus.

In my computer repair business, such infections are becoming ever more common because the Master Boot Record is such a great place for viruses to avoid detection.

And most standard antivirus programs can’t delete them which makes them especially difficult to remove – other more specialized removal tools are required.

What Is The Master Boot Record (MBR)

It is a special type of boot sector stored at the very beginning of your hard drive – so it is outside of normal Windows partitions and volumes. It contains data on how the hard drive is partitioned and also loads the installed operating system.

Crucially, the code in the MBR is run as your computer first starts up (before Windows loads) which makes it a great place for a virus or rootkit to hide.

Even if you reinstall Windows or format your hard drive, a Master Boot Record virus will not be deleted. So, after you reinstall Windows, your computer runs that same MBR code again which then reinfects your brand new installation of Windows with more viruses – and you’re back to square one…

Typical Sign of MBR Virus Infection

The most obvious sign is if you still encounter virus activity (e.g. redirected webpages etc) even after you ‘successfully’ removed all viruses – and multiple full virus scans with different antivirus programs detect no more viruses.

This happens because the virus is hidden in MBR code outside of Windows so standard antivirus programs don’t even know it’s there – as fast as you clean up Windows, the virus reinfects it the next time you restart.

For this reason it is really important that, after you have removed all viruses from within Windows, you also scan the MBR to check it is virus free – even if you plan to format the hard drive and reinstall Windows again from scratch.

If you do plan to reinstall Windows, consider the benefits of partitioning your hard drive.

Warning: you should always have a full backup of your important data before trying to clean MBR as there is potential to corrupt partition tables which could stop Windows from loading and possibly lose access to all data stored on the hard drive.

If you suspect an MBR virus, or want to check if it is corrupted, you should run an MBR scan with one of the following tools:

1. Avast Rootkit Scanner

Download the Avast rootkit scanner (aswMBR.exe) here. Follow the instructions on the download page to run it and scan for MBR infection.

If the scan report says ‘Windows 10/8/7/Vista/XP default MBR code’ as shown in the bottom line of the example below, you have standard Windows MBR code i.e. no MBR virus.

Avast rootkit scanner

Note that non-standard MBR code is not necessarily a result of virus infection – it may contain code written by your computer’s manufacturer that would be used to let you restore your computer back to factory settings.

Avast’s scanner offers a FixMBR option which acts as a MBR cleaner, replacing it with the Windows default MBR code.

You will need to restart your computer after fixing, then rerun the tool again to check that no further MBR infection is found (hopefully this time it should only find ‘Windows 10/8/7/Vista/XP default MBR code’.

Warning: FixMBR means erasing it and recreating with a standard default set of code for your version of Windows so you will no longer be able to use the manufacturer’s ‘factory restore’ method to reinstall Windows.

2. GMER MBR Virus Detector

Download the GMER Detector (mbr.exe) halfway down the page here. Run it and the program quickly creates a file called ‘mbr.log’ in the directory where you saved the mbr.exe program.

Open the mbr.log text file and see if it indicates that your MBR is legitimate – the user and kernel MBR should give the following report if the MBR is clean:

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

If the MBR code is not legitimate you can use GMER to clean it but it is for really advanced users – it’s easier to use one of the other methods to fix it (my is Avast’s scanner above).

3. MBRCheck Detector

Download the Geekstogo MBRCheck program (mbrcheck.exe) here and run the program to check for a non-standard or infected MBR – the example below shows MBR that is standard ‘Windows XP’ code (i.e. not infected)

MBRCheck Master Boot Record virus removal

If non-standard or infected MBR code is found, you will need to follow the following menu options carefully:

Choose ‘Restore the MBR with a standard boot code’ then choose the physical disk number to fix (usually disk 0 / zero) and select the MBR code for your version of Windows e.g. Windows 10/8/7/Vista/XP.

Finally, confirm you wish to change the code.

4. Using a Windows Recovery CD/DVD to FixMBR

This is a fix rather than a scanner – you can use a Windows installation disk or Recovery CD to repair a corrupted or virus infected MBR by replacing it with standard Windows MBR code.

This is especially useful if you have previously attempted a fix using one of the above 3 methods and it left your computer unable to start up:

Windows 10, 8, 7 and Vista

  • Boot using a Recovery CD or Windows Installation DVD
  • At the Welcome screen, click ‘Repair your computer’ to enter the Recovery Environment
  • Select ‘Troubleshoot’
  • At the System Recovery Options menu choose ‘Command Prompt’
  • At the command prompt type in the command: bootrec /fixmbr
  • Press Enter to replace the MBR, then type Exit and press Enter
  • Remove the DVD/CD and then restart your computer

XP

  • Boot using an XP Installation disk to the Recovery Console
  • After logging into the Administrator account (usually with a blank password), at the Command Prompt, type in the command: fixmbr
  • Press Enter to replace the MBR, then type Exit and press Enter
  • Remove the DVD/CD and then restart your computer

Conclusion

It is not advisable to try to clean MBR code unless you have good reason – if it goes wrong, a corrupted MBR can result in Windows not starting or even cause loss of all data stored on the hard drive.

Replacing the MBR with standard Windows code may also result in the loss of the manufacturer’s factory restore options.

However, if the Master Boot Record is infected by a virus, there is often little choice other than to replace the MBR code with a known good default alternative – this should be done even if you intend to format and reinstall Windows.

To avoid such infection in the first place, consider switching to a better antivirus program – my favorite, which I use on all my systems, is Kaspersky Internet Security.

6 thoughts on “How To Check For And Fix MBR Virus Infection”

  1. The infection on my Windows XP notebook is preventing it from botting from the CD-ROM and I cannot use a USB because the virus or rootkits or whatever it is in there will infect any USBs connected to the notebook (it has already wiped out one of my USBs and planted itself in a System Volume Information (SVI) folder and made the SVI folder invisible and deny access to anyone / anything that tries to remove it. The infection is also preventing me from accessing the Internet.

    I can try to run the programmes listed above, but I have the following queries:

    1. Do I need to run them in Safe Mode?
    2. How can I retrieve those reports, especially the lengthy GMER ones since I cannot use a USB drive nor connect to the Internet?
    3. What is Ubuntu distro and what does it do?

    Any advice will be greatly apprieciated.

    Andrew

    • @Andrew – this article only applies to MBR infections, most viruses don’t infect that. A virus won’t stop you booting from CD as this bypasses the hard drive entirely – there must be another reason so check your BIOS settings to make sure it is set to boot from CD first and try a different boot CD in case yours is faulty.
      1. you don’t need to run them in safe mode but may have to if the virus blocks them
      2. you don’t need to retrieve the reports, they’re displayed on screen and, if your MBR is infected, they give you a means to reset it.
      3. Ubuntu is one version of Linux, often used as a boot CD to access your files without booting into windows e.g. to copy your docs/pics etc to a usb/external drive – a windows virus shouldn’t be active within Linux (though of course if you copy a virus infected file to usb then try to access it from a clean pc it could infect that pc too)

  2. Experienced really slow and hesitant bootup in Windows 7 and it’s reappeared in Windows 10 too.
    Download HDHacker to a separate partition or usb key. It will copy MBR as…BootSector_DriveC.dat…file which
    HDHacker can write to repair MBR code.
    If you keep a link to HDHacker.exe on your desktop it only takes 30secs to open as admin and rewrite MBR with the good backup. Best done just before you log off the pc each day If you find this MBR pest otherwise invades at intervals of a few weeks.
    Lazesoft Recovery disc can be used to rewrite just the MBR rather than do the full C Drive restore.
    As of course can some other Backup/Recovery software using CD or Flashdrive to restore from bootup.

  3. Not all M.B.R Virus can be fixed in this way. New Viruses have adapted to Command line repair, and in short you will not be able to repair your computer using these methods.

    Recently, I can across a stubborn M.B.R Virus that would not allow me to repair the Master Boot Record using traditional ways.

    I Tried every rescue disk from all the major Anti-Virus Company’s with no luck. Then last I Used –> Comodo Rescue Disk <– with the options to scan the M.B.R sure enough they were the only anti virus that found the problem and removed the virus.

    I am a computer repair tech in Dallas and I fix 10-20 virus infested computers a week, and this is the first time that I actually could not find a fix for this virus, and cannot believe that Comodo Rescue Disk actually found and fixed the virus.

    So, to all the people that are having trouble finding a fix to your problem, and getting the same results from all the online communities, I hope this helps.

    P.S. – Make sure you download the rescue disk from a clean computer, and if you have other computers on your network, or in your LAN make sure you disconnect them from the internet, and the network. Then run the rescue disk, on each computer.

    P.S.S – no need to have internet hooked up, skip update option when asked.

    Comodo Rescue Disk Link

    http://download.comodo.com/crd/download/setups/comodo_rescue_disk_2.0.261647.1.iso

    Hope this helps.

    Jason Swartz

  4. What specifically does this output mean? I literally don’t know what it means, and everyone else just says run this and run that instead of telling me what the output from the first one means.

    device: opened successfully
    user: error reading MBR
    kernel: MBR read successfully
    user != kernel MBR !!!

    I can supply the actual machine language and assembly language code of my mbr. Not only do I have it, and the partition table constructed from it, but that means that it must be possible to read teh master boot record. Someone on the AVAST forum is saying it doesn’t look infected.

    I want all the t’s and i’s to add up before I conclude it isn’t infected.

    Thanks!

    • User privileges might stop you reading the MBR but kernel can read it ok and no infections are reported, contact GMER support if you need a full explanation of the the way MBR.exe works.

      If the other 2 tests also report no infection then your MBR should be ok – if you still have signs of infection then run GMER itself.

      If in doubt (and it’s a non-standard MBR) you could just fixMBR it to default code – and that way you’ll be able to easily tell in future if it has been infected as it will no longer be default windows code…

Comments are closed.