How to clean a virus from the hard drive
First let me clear up a common misconception of what the MBR
"Master Boot Record" is. The MBR is loosely used to describe the
combination of the "Partition Table" and the "Boot Record or Boot
Code". The primary Partition Table is used as a pointer to
additional partition tables that might exist on the drive. This set
of partition tables forms a chain each maintaining pointers to the
next partition table with a total of up to four partition tables on
a drive. The primary partition table also has a pointer to the Boot
Sector. The Boot Sector is a 512 byte sector (On NTFS) that contains
information about the physical characteristics of the hard drive
i.e. cylinders, heads, sectors, drive ID, file system, and so on.
Viruses typically move the real MBR onto "slack space" sectors
which is unused by your computer. Then it replaces the real MBR with
it own version of the MBR where the real MBR belongs. This way the
virus can manipulate the Boot Strap Loader as you start your system,
by doing so it can "stealth" itself from detection.
A virus in a "stealth" mode may not be picked up by a normal
anti-virus scan. The virus redirects the anti-virus scanner to the
real MBR which will scan as normal even though it's in the wrong
place. Most viruses will also pre-empt all DOS file calls coming in.
In other words it "runs ahead, and disinfects the MBR or file before
anti-virus software can scan the MBR or file, and when the MBR or
file call is through, the virus then re-infects the MBR or file.
A MBR virus will usually give an error "Invalid Drive
Specification". A simple Boot Record sector virus will usually give
you a "General Failure Reading Drive C:" error. But be forewarned,
these errors could also indicate a bad sector 0 or 1 on the hard
drive. If this is the case the drive is DEAD for all but data
keeping. It will never be able to be a boot drive again, and in fact
these types of drives should be taken out of service all together.
It will most likely continue to lose sectors as time goes on, and
usually when you least expect it. It's not worth the risk, trash can
So what do you do if you have a MBR
Use a clean startup disk (make sure the disk is write-protected
before you place it in a potentially infected machine!). This should
give you a clean boot to drive A:, which can then remove infection
from inactive drive C:. If you are in doubt about the health of the
startup disk, get a startup disk from a friend with a clean system.
Enter FDISK /MBR. This overwrites your infected MBR and puts a clean
MBR in place. Some cleaver viruses may place a secondary interceptor
into the boot strap loader and re-infect the system, so be virulent
when running the system after this repair. "Note that some overlay
software can act in this same infectious way". Do not boot from the
C: drive to do the above. The virus software is sure to know what
you are attempting and foil your efforts to eradicate it. The clean
boot floppy method is best to be absolutely sure.
With Windows XP, 2003 you can rebuild the Disk data structures by
booting from the installation CD and entering the repair console.
From the repair console there are two commands of interest FIXMBR
and FIXBOOT. FIXMBR will re-build the MBR while FIXBOOT will
re-build the Boot Sector. With Windows Vista you can have the repair
console attempt the repairs for you. We recommend that the disk in
question be the only disk installed when doing repairs with the
No luck in getting rid of the bug… Hope all your data's backed
up! You will need to high level re-format your hard drive. Remember
this will not create a new "primary Partition Table" only FDISK or
the Windows disk management tool will do this, but formatting will
create a new "Boot Record" and new "File Allocation Tables". The FAT
is the hard drives Table of Contents, and without it does not know
where to find this data on your hard drive. Formatting does not
actually erase the data contained in the individual sectors.
In the worst case you might have to low-level format your drive.
You should do this only with the assistance of the hard drive
manufacturer. This will erase most of the data but a cleaver user
could still recover data if they really wanted to. Your BIOS may
also have some hard disk utilities with a format option.
If you have Windows Vista/7/8 it is not uncommon to lose
communications with a disk after these types of repairs. In fact if
the disk is connected via USB or Firewire it is more common. You
will also need a boot DVD drive. We recommend always having a bootable DVD handy for just such an occasion.