How to clean a virus from the hard drive

First let me clear up a common misconception of what the MBR "Master Boot Record" is. The MBR is loosely used to describe the combination of the "Partition Table" and the "Boot Record or Boot Code". The primary Partition Table is used as a pointer to additional partition tables that might exist on the drive. This set of partition tables forms a chain each maintaining pointers to the next partition table with a total of up to four partition tables on a drive. The primary partition table also has a pointer to the Boot Sector. The Boot Sector is a 512 byte sector (On NTFS) that contains information about the physical characteristics of the hard drive i.e. cylinders, heads, sectors, drive ID, file system, and so on.

Viruses typically move the real MBR onto "slack space" sectors which is unused by your computer. Then it replaces the real MBR with it own version of the MBR where the real MBR belongs. This way the virus can manipulate the Boot Strap Loader as you start your system, by doing so it can "stealth" itself from detection.

A virus in a "stealth" mode may not be picked up by a normal anti-virus scan. The virus redirects the anti-virus scanner to the real MBR which will scan as normal even though it's in the wrong place. Most viruses will also pre-empt all DOS file calls coming in. In other words it "runs ahead, and disinfects the MBR or file before anti-virus software can scan the MBR or file, and when the MBR or file call is through, the virus then re-infects the MBR or file.

A MBR virus will usually give an error "Invalid Drive Specification". A simple Boot Record sector virus will usually give you a "General Failure Reading Drive C:" error. But be forewarned, these errors could also indicate a bad sector 0 or 1 on the hard drive. If this is the case the drive is DEAD for all but data keeping. It will never be able to be a boot drive again, and in fact these types of drives should be taken out of service all together. It will most likely continue to lose sectors as time goes on, and usually when you least expect it. It's not worth the risk, trash can it.

So what do you do if you have a MBR virus:

Use a clean startup disk (make sure the disk is write-protected before you place it in a potentially infected machine!). This should give you a clean boot to drive A:, which can then remove infection from inactive drive C:. If you are in doubt about the health of the startup disk, get a startup disk from a friend with a clean system. Enter FDISK /MBR. This overwrites your infected MBR and puts a clean MBR in place. Some cleaver viruses may place a secondary interceptor into the boot strap loader and re-infect the system, so be virulent when running the system after this repair. "Note that some overlay software can act in this same infectious way". Do not boot from the C: drive to do the above. The virus software is sure to know what you are attempting and foil your efforts to eradicate it. The clean boot floppy method is best to be absolutely sure.

With Windows XP, 2003 you can rebuild the Disk data structures by booting from the installation CD and entering the repair console. From the repair console there are two commands of interest FIXMBR and FIXBOOT. FIXMBR will re-build the MBR while FIXBOOT will re-build the Boot Sector. With Windows Vista you can have the repair console attempt the repairs for you. We recommend that the disk in question be the only disk installed when doing repairs with the repair console.

No luck in getting rid of the bug… Hope all your data's backed up! You will need to high level re-format your hard drive. Remember this will not create a new "primary Partition Table" only FDISK or the Windows disk management tool will do this, but formatting will create a new "Boot Record" and new "File Allocation Tables". The FAT is the hard drives Table of Contents, and without it does not know where to find this data on your hard drive. Formatting does not actually erase the data contained in the individual sectors.

In the worst case you might have to low-level format your drive. You should do this only with the assistance of the hard drive manufacturer. This will erase most of the data but a cleaver user could still recover data if they really wanted to. Your BIOS may also have some hard disk utilities with a format option.

If you have Windows Vista/7/8 it is not uncommon to lose communications with a disk after these types of repairs. In fact if the disk is connected via USB or Firewire it is more common. You will also need a boot DVD drive. We recommend always having a bootable DVD handy for just such an occasion.