How to scan and remove MBR viruses?

6

3

Once I read that the Windows 7 installation disc could clean an infected MBR. I also found an article that suggested one tool to scan the MBR for viruses. And I also read that one MBR virus could prevent the loaded OS from writing to the MBR, but it could fool it in believing that the writing was successful.

  1. Does MS Security Essentials scans the MBR?
  2. Should I trust Geekstogo's MBRCheck.exe?
  3. What tools can help me to scan an clean my MBR?
  4. Will a Windows reinstall clean my MBR?

Jader Dias

Posted 2011-07-26T12:14:59.353

Reputation: 13 660

Answers

3

  1. Nothing can, I dont think
  2. Yes, to the extent its not a virus or anything, I don't know how helpful it will be.
  3. See here for how to rewrite your MBR.
  4. Bootstrapp from a read-only installation disc into the recovery console and use bootsect. Thank you @JdeBP

soandos

Posted 2011-07-26T12:14:59.353

Reputation: 22 744

In that thread a guy found a MBR rootkit using http://www.gmer.net/

– Jader Dias – 2011-07-26T12:22:14.853

He found what could be a rootkit. It's behavior matched that of one, but in theory, it could have been a bad driver or something. – soandos – 2011-07-26T12:23:24.633

I have one additional question, see my edit in the OP. – Jader Dias – 2011-07-26T12:23:53.400

a bad driver that writes to the MBR? It's very suspicious... – Jader Dias – 2011-07-26T12:24:35.053

Yup (though I was talking about having I/O errors to the MRB with a bad HD driver or something) but its not like virus definitions where you can just take a files hash and you are done. – soandos – 2011-07-26T12:26:10.730

now I understand your point, but about your last answer I'm unsure. If a format targets a partition, how it will affect a the MBR? AFAIK the MBR is outside the partitions... – Jader Dias – 2011-07-26T12:35:06.807

Im talking about a whole disk format, sorry that was not clear. You are correct that a partition format would not do. – soandos – 2011-07-26T12:45:32.010

Is that what happens when you delete all partitions and create a new one and formats it? – Jader Dias – 2011-07-26T12:47:18.140

Yes, but it also hits the MBR, and if its a low level format, it gets the spare tracks too I believe. – soandos – 2011-07-26T12:48:51.600

1

First: One doesn't low-level format modern (ATA and SCSI) hard discs. Second: One doesn't need a format to make sure. One can quite happily make sure by bootstrapping from a read-only installation disc into the recovery console and using bootsect.

– JdeBP – 2011-07-26T15:12:44.223

Would using a win95 boot disk and running fdisk /mbr overwrite any MBR viruses? – music2myear – 2011-07-26T15:17:35.633

Not sure its the same thing, but you might want to ask a separate question on that. – soandos – 2011-07-26T15:20:00.897

@music2myear not if the disk is itself infected – Jader Dias – 2011-07-28T17:02:04.750

2

I literally just finished scanning my brother's hard drive (connected via a USB hard drive dock) to my Windows 7 machine, and Microsoft Security Essentials picked up an MBR virus. MSE should be able to detect the problem if there is a virus (run chkdsk /R if you don't find one, could be corrupted sectors on the disk).

If the MBR or boot sector is corrupted, you can use TestDisk to repair/overwrite them (it can even find corrupted or missing partitions and rewrite the partition table!). Alternatively, you can also use TestDisk to simply recover the files (if you just want to format and start from scratch).

Breakthrough

Posted 2011-07-26T12:14:59.353

Reputation: 32 927

Asked: 2011-07-26T12:14:59.353

Viewed: 12 408 times

Active: 2011-08-14T14:51:45.890