by lunarg on April 19th 2011, at 15:55

The latest trend in virii is the use of MBR rootkits to settle themselves in the unused (hidden) sectors of your harddrive, safe from any formatting or reinstallation of Windows. They cannot be removed by an antivirus as the rootkit directly interacts with the kernel upon boot, long before any antivirus system drivers are being loaded. The rootkit does not patch actual files or drivers, but rather does this dynamically upon booting Windows. A complete format of your system would not get rid of the MBR as it is hosted in the first sectors of your hard drive and therefore survive a format of a single partition.

More information can be found here:

So how to get rid of it?

There's but one way to get truly rid of the thing, and that's by firing up a raw disk editor and clear out its sectors: restore the MBR to a previous one, and clean up certain sectors in the system.

While this is usually not an easy task, there's a much quicker way to simply prevent it from loading with your OS by restoring the MBR with a clean copy. This way, the malicious code still exist in other sectors, but they are no longer called through the MBR. For this to work, you need a restore disk or original installation disk of your Windows (either XP, Vista or 7). A disk for 7 can be used for Vista as well, but not for XP.

Steps to clean out the MBR
  1. Boot with your restore or installation disk, and select to perform a manual repair.
  2. Open a command prompt (for XP, this is done automatically when performing a manual repair).
  3. Depending on your OS you need to run the following commands:
    • For XP: run these in order:
    • For Vista and 7: run these in order:
      bootrec /FixMbr
      bootrec /FixBoot
  4. Reboot back into your OS. Check the status with your virus scanner or by using the mbr tool from
« March 2021»
« You only find out who is swimming naked when the tide goes out. »
Warren Buffett